diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts index ca0f415f0e..bfb40a15b5 100644 --- a/spec/unit/oidc/validate.spec.ts +++ b/spec/unit/oidc/validate.spec.ts @@ -170,7 +170,7 @@ describe("validateIdToken()", () => { expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience")); }); - it("should not throw for a list of trusted audiences", () => { + it("should not throw when audience is an array that includes clientId", () => { mocked(jwtDecode).mockReturnValue({ ...validDecodedIdToken, aud: [clientId], @@ -178,6 +178,15 @@ describe("validateIdToken()", () => { expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow(); }); + it("should throw when audience is an array that does not include clientId", () => { + mocked(jwtDecode).mockReturnValue({ + ...validDecodedIdToken, + aud: [`${clientId},uiop`, "asdf"], + }); + expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken)); + expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience")); + }); + it("should throw when nonce does not match", () => { mocked(jwtDecode).mockReturnValue({ ...validDecodedIdToken, diff --git a/src/oidc/validate.ts b/src/oidc/validate.ts index 1defc7a31b..56eb3ca689 100644 --- a/src/oidc/validate.ts +++ b/src/oidc/validate.ts @@ -179,7 +179,8 @@ export const validateIdToken = ( * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client. * EW: Don't accept tokens with other untrusted audiences * */ - if (claims.aud !== clientId && !(Array.isArray(claims.aud) && claims.aud.includes(clientId))) { + const sanitisedAuds = typeof claims.aud === 'string' ? [claims.aud] : claims.aud; + if (!sanitisedAuds.includes(clientId)) { throw new Error("Invalid audience"); }