tenzir · lava · Mar 14, 2025 · Mar 14, 2025
diff --git a/cli/tenzir_platform/helpers/auth_rule.py b/cli/tenzir_platform/helpers/auth_rule.py
@@ -49,9 +49,14 @@ class UserAuthRule(BaseModel):
     user_id: str
 
 
+class AllowAllRule(BaseModel):
+    auth_fn: Literal["auth_allow_all"] = "auth_allow_all"
+
+
 AuthRule = (
     UserAuthRule
     | EmailDomainRule
     | RoleAndOrganizationRule
     | OrganizationMembershipRule
+    | AllowAllRule
 )
diff --git a/cli/tenzir_platform/helpers/oidc.py b/cli/tenzir_platform/helpers/oidc.py
@@ -85,6 +85,8 @@ def reauthenticate_token(self, interactive: bool = True) -> str:
             token_data = self._device_code_flow()
         else:
             token_data = self._client_credentials_flow()
+        if self.verbose:
+            print(f"received token data: {token_data}")
         return self._unwrap_flow_result(token_data)
 
     def _device_code_flow(self) -> dict[str, str]:
@@ -157,7 +159,20 @@ def _client_credentials_flow(self) -> dict[str, str]:
         return response.json()
 
     def _unwrap_flow_result(self, token_data: dict[str, str]) -> str:
-        id_token = token_data["id_token"]
+        if "id_token" in token_data:
+            id_token = token_data["id_token"]
+        elif "access_token" in token_data:
+            # Some identity providers don't provide an id token for decive
+            # code authorization. If the access token is in JWT format, we
+            # can still salvage this.
+            try:
+                self.validate_token(token_data["access_token"])
+            except:
+                raise Exception("access token is not in JWT format")
+            print("warning: no id_token in response from identity provider, falling back to access_token")
+            id_token = token_data["access_token"]
+        else:
+            raise Exception(f"cannot process token response: {token_data}")
         current_user = self.validate_token(id_token)
         if self.verbose:
             print(f"obtained id_token: {current_user}")

diff --git a/cli/tenzir_platform/subcommand_admin.py b/cli/tenzir_platform/subcommand_admin.py
@@ -6,6 +6,7 @@
   tenzir-platform admin add-auth-rule [-d] organization-membership <workspace_id> <organization_claim> <organization> [--connection=<connection>]
   tenzir-platform admin add-auth-rule [-d] organization-role <workspace_id> <roles_claim> <role> <organization_claim> <organization> [--connection=<connection>]
   tenzir-platform admin add-auth-rule [-d] user <workspace_id> <user_id>
+  tenzir-platform admin add-auth-rule [-d] allow-all <workspace_id>
   tenzir-platform admin delete-auth-rule <workspace_id> <auth_rule_index>
   tenzir-platform admin list-auth-rules <workspace_id>
   tenzir-platform admin create-workspace <owner_namespace> <owner_id> [--name=<workspace_name>] [--category=<workspace_category>]
@@ -39,6 +40,7 @@
     EmailDomainRule,
     RoleAndOrganizationRule,
     OrganizationMembershipRule,
+    AllowAllRule,
 )
 from pydantic import BaseModel
 from typing import Optional
@@ -190,6 +192,8 @@ def auth_rule_from_arguments(arguments) -> AuthRule:
         )
     elif arguments["user"]:
         auth_rule = UserAuthRule(user_id=user_id)
+    elif arguments["allow-all"]:
+        auth_rule = AllowAllRule()
     else:
         raise Exception("couldn't determine auth rule from command-line arguments")
     return auth_rule