feat: Allow at most one claim based OpenID IDP (#16145)

2025-11-07 12:52:58 -05:00 · 2022-11-29 15:40:49 -08:00
parent be92cf5959
commit 87cbd41265
5 changed files with 57 additions and 25 deletions
--- a/internal/config/identity/openid/openid.go
+++ b/internal/config/identity/openid/openid.go
@@ -204,10 +204,7 @@ func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func
 		closeRespFn:      closeRespFn,
 	}

-	var (
-		hasLegacyPolicyMapping = false
-		seenClientIDs          = set.NewStringSet()
-	)
+	seenClientIDs := set.NewStringSet()

 	deprecatedKeys := []string{JwksURL}

@@ -376,9 +373,8 @@ func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func
 		arnKey := p.roleArn
 		if p.RolePolicy == "" {
 			arnKey = DummyRoleARN
-			hasLegacyPolicyMapping = true
-			// Ensure that when a JWT policy claim based provider
-			// exists, it is the only one.
+			// Ensure that at most one JWT policy claim based provider may be
+			// defined.
 			if _, ok := c.arnProviderCfgsMap[DummyRoleARN]; ok {
 				return c, errSingleProvider
 			}
@@ -392,12 +388,6 @@ func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func
 		}
 	}

-	// Ensure that when a JWT policy claim based provider
-	// exists, it is the only one.
-	if hasLegacyPolicyMapping && len(c.ProviderCfgs) > 1 {
-		return c, errSingleProvider
-	}
-
 	c.Enabled = true

 	return c, nil