Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle when aud OIDC claim is an Array #4582

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Handle when aud OIDC claim is an Array #4582

wants to merge 3 commits into from
+21 −3

Conversation

liamdiprose
Copy link

The aud claim of OIDC id_tokens can be an array but the existing logic incorrectly assumes aud is always a string.

This PR adds the necessary check.

Signed-off-by: Liam Diprose [email protected]

Checklist

  • Tests written for new code (and old code if feasible).
  • New or updated public/exported symbols have accurate TSDoc documentation.
  • Linter and other CI checks pass.
  • Sign-off given on the changes (see CONTRIBUTING.md).

@liamdiprose
Handle when aud OIDC claim is an Array
9c0d8e8 
The `aud` claim of OIDC id_tokens [can be an array](https://github.com/authts/oidc-client-ts/blob/ce6d694639c58e6a1c80904efdac5eda82b82042/src/Claims.ts#L92) but the existing logic
incorrectly assumes `aud` is always a string.

This PR adds the necessary check.
@liamdiprose liamdiprose requested a review from a team as a code owner December 11, 2024 03:09
@github-actions github-actions bot added the Z-Community-PR Issue is solved by a community member's PR label Dec 11, 2024
@liamdiprose
Copy link
Author

liamdiprose commented Dec 11, 2024
edited
Loading

I have a use case where the aud contains all the applications the token is authenticated with. I trust all of them but a unit test seems to be checking that clientId is alone:

matrix-js-sdk/spec/unit/oidc/validate.spec.ts

Lines 164 to 171 in 8155b0a

it("should throw when audience includes clientId and other audiences", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
aud: `${clientId},uiop,asdf`,
});
expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken));
expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
});

Can we simply trust a token if the client is in the aud?

@dbkr dbkr added the T-Defect label Dec 11, 2024
@dbkr
Copy link
Member

dbkr commented Dec 11, 2024

Yeah, I noticed the unit test above which looks wrong as far as I can see. Well... actually strictly speaking I think it's correct because I don't think a comma-separated string means multiple auds, as far as I can see... it would just be a different string, but that's not what the name of the test implies its trying to test.

So I'd be open to fixing that. If so, I'd probably suggest sanitising into an array with something like const sanitisedAuds = typeof claims.aud === 'string' : [claims.aud] : claims.aud and then doing the includes, because I find the logic there quite hard to reason about. I'd probably also prefer tests asserting it actually does the right thing with an array, rather than just not throwing. Wdyt?

@liamdiprose
Copy link
Author

Well... actually strictly speaking I think it's correct because I don't think a comma-separated string means multiple auds, as far as I can see... it would just be a different string, but that's not what the name of the test implies its trying to test.

This is my understanding as well.

I've added the check for an array that doesn't contain clientId. I think that covers all the added code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbkr dbkr Awaiting requested review from dbkr dbkr is a code owner automatically assigned from matrix-org/element-web-reviewers

@MidhunSureshR MidhunSureshR Awaiting requested review from MidhunSureshR MidhunSureshR is a code owner automatically assigned from matrix-org/element-web-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
T-Defect Z-Community-PR Issue is solved by a community member's PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@liamdiprose @dbkr