Support skipping OIDC validation checks

[WhammyLeaf]

A work in progress

Summary by CodeRabbit

• New Features

  • Added configuration flags to skip issuer, audience, and expiry validation checks.
  • Flags can be set via environment variables: OIDC_SKIP_ISSUER_CHECK, OIDC_SKIP_AUDIENCE_CHECK, OIDC_SKIP_EXPIRY_CHECK, or via configuration builder.

• Bug Fixes

  • Token validation now respects the configured skip flags for issuer, audience and expiry checks.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Three boolean flags — SkipIssuerCheck, SkipAudienceCheck, SkipExpiryCheck — were added to configuration (builder and FromEnv), a parseBoolEnv helper was introduced, and those flags are propagated into provider.Config to control validator checks instead of hardcoded values.

Changes

Cohort / File(s)	Summary
Configuration layer config.go	Added SkipIssuerCheck, SkipAudienceCheck, SkipExpiryCheck to Config; added builder methods WithSkipIssuerCheck, WithSkipAudienceCheck, WithSkipExpiryCheck; added parseBoolEnv(key, defaultVal) and wired env vars OIDC_SKIP_ISSUER_CHECK, OIDC_SKIP_AUDIENCE_CHECK, OIDC_SKIP_EXPIRY_CHECK into FromEnv flow; imported strconv.
Provider layer provider/provider.go	Added SkipIssuerCheck, SkipAudienceCheck, SkipExpiryCheck to provider.Config; updated validator initialization to use cfg.SkipIssuerCheck, cfg.SkipAudienceCheck, cfg.SkipExpiryCheck (replacing hardcoded false values); minor formatting tweak.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application
    participant Conf as ConfigBuilder
    participant Prov as Provider
    participant Val as Validator

    App->>Conf: Build config (FromEnv or fluent)
    note right of Conf `#DFF2E1`: Config now includes skip flags
    Conf->>Prov: createProvider(cfg)
    Prov->>Val: init validator with\nSkipIssuerCheck, SkipAudienceCheck, SkipExpiryCheck
    Val-->>Prov: validator instance
    Prov-->>App: provider (validator configured)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Review focus:
  • parseBoolEnv correctness and default behavior in config.go.
  • Consistent propagation of flags from Config → provider.Config → validator initialization.
  • Builder method names, doc-comments, and environment variable names.

Poem

🐰 I nibble code beneath moonlight bright,
Three little flags to tweak the night.
From env to builder, then onward they sweep,
Into validators where watchers keep.
A hop, a patch, and carrot-sweet delight. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding support for skipping OIDC validation checks, which aligns with the addition of three skip flags (SkipIssuerCheck, SkipAudienceCheck, SkipExpiryCheck) throughout the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14f9009 and 65f35e5.

📒 Files selected for processing (2)

• config.go (4 hunks)
• provider/provider.go (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

config.go (2)

provider/provider.go (1)

• Logger (24-29)

logger.go (1)

• Logger (22-27)

🔇 Additional comments (4)

provider/provider.go (2)

33-40: LGTM with security caveat.

The new configuration fields are correctly defined. However, these flags bypass critical security validations.

Ensure these flags are:

1. Documented with clear security warnings
2. Used only in development/testing environments
3. Never enabled in production

Consider adding runtime warnings when these checks are disabled.

---

209-211: LGTM!

The validator configuration correctly maps the new config flags to the OIDC verifier settings, replacing the previously hardcoded false values.

config.go (2)

34-38: LGTM!

The configuration fields are correctly defined with appropriate documentation.

---

318-320: Missing test coverage for security bypass flags.

Verification confirms no tests exist for the new skip flags. Critical test coverage gaps:

• Environment variable parsing tests (OIDC_SKIP_AUDIENCE_CHECK, OIDC_SKIP_ISSUER_CHECK, OIDC_SKIP_EXPIRY_CHECK)
• Validation that flags default to false (secure-by-default)
• Independent flag behavior verification
• Combined flag scenarios

Add tests covering all above cases before merging, particularly to ensure security defaults are maintained.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

config.go (2)

36-39: LGTM: Skip validation flags added correctly.

The three boolean fields are well-named and properly integrated into the Config struct. They default to false (validation enabled), which is the safe default.

Optional: Consider adding doc comments to each field explaining the security implications of skipping these validation checks, especially for users who may not fully understand OIDC security requirements.

---

327-338: LGTM: Robust boolean parsing with safe defaults.

The parseBoolEnv helper correctly uses strconv.ParseBool to handle standard boolean representations and safely falls back to the default value on parse errors or empty values. This fail-safe approach ensures validation remains enabled by default.

Optional: Consider logging parse errors to aid debugging when users provide invalid boolean values (e.g., "yes" instead of "true"). However, the current silent fallback is safe and acceptable.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bd04072 and 5fbe515.

📒 Files selected for processing (2)

• config.go (5 hunks)
• provider/provider.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• provider/provider.go

🧰 Additional context used

🧬 Code graph analysis (1)

config.go (2)

provider/provider.go (1)

• Logger (24-29)

logger.go (1)

• Logger (22-27)

🔇 Additional comments (4)

config.go (4)

5-5: LGTM: Import added for boolean parsing.

The strconv import is necessary for the parseBoolEnv helper and is correctly placed.

---

127-135: LGTM: Skip flags correctly propagated to provider config.

The mapping from Config to provider.Config is correct, including the previously identified copy-paste error on line 135 which has been properly fixed (now correctly maps SkipExpiryCheck to cfg.SkipExpiryCheck).

---

235-251: LGTM: Builder methods follow the pattern correctly.

The three new builder methods are properly implemented following the fluent builder pattern. Documentation comments are correct and consistent (previous typos have been fixed).

---

319-321: LGTM: Environment variable parsing implemented correctly.

The skip flags are properly initialized from environment variables using the parseBoolEnv helper, which correctly handles boolean values. Safe defaults (false = validation enabled) are used, and the environment variable names follow clear naming conventions.