With self-managed instances, the iss (issuer) value on the inbound JWT is going to differ based on the URL of the service.
Probably the place to add a lookup:
|
def find_publisher_by_issuer( |
|
session: Session, |
|
issuer_url: str, |
|
signed_claims: SignedClaims, |
|
*, |
|
pending: bool = False, |
|
) -> OIDCPublisher | PendingOIDCPublisher: |
|
""" |
|
Given an OIDC issuer URL and a dictionary of claims that have been verified |
|
for a token from that OIDC issuer, retrieve either an `OIDCPublisher` registered |
|
to one or more projects or a `PendingOIDCPublisher`, varying with the |
|
`pending` parameter. |
|
|
|
Returns `None` if no publisher can be found. |
|
""" |
|
|
|
try: |
|
publisher_cls = OIDC_PUBLISHER_CLASSES[issuer_url][pending] |
|
except KeyError: |
|
# This indicates a logic error, since we shouldn't have verified |
|
# claims for an issuer that we don't recognize and support. |
|
raise InvalidPublisherError(f"Issuer {issuer_url!r} is unsupported") |
|
|
|
# Before looking up the publisher by claims, we need to ensure that all expected |
|
# claims are present in the JWT. |
|
publisher_cls.check_claims_existence(signed_claims) |
|
|
|
return publisher_cls.lookup_by_claims(session, signed_claims) |
