Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

Allow tokens with multiple audiences as long as one matches #285

Merged
merged 4 commits into from
Feb 3, 2022
Merged

Allow tokens with multiple audiences as long as one matches #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2123339
Allow tokens with multiple audiences as long as one matches
EngHabu Nov 9, 2021
6d61085
Added unit tests
pmahindrakar-oss Feb 2, 2022
d7c81bf
Adding matched audience index in the context
pmahindrakar-oss Feb 3, 2022
c761a3a
Update mocks
pmahindrakar-oss Feb 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions auth/authzserver/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,17 @@ func (p Provider) ValidateAccessToken(ctx context.Context, expectedAudience, tok

func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}) (interfaces.IdentityContext, error) {
claims := jwtx.ParseMapStringInterfaceClaims(claimsRaw)
if len(claims.Audience) != 1 {
return nil, fmt.Errorf("expected exactly one granted audience. found [%v]", len(claims.Audience))

foundAudIndex := -1
for audIndex, aud := range claims.Audience {
if expectedAudience.Has(aud) {
foundAudIndex = audIndex
break
}
}

if !expectedAudience.Has(claims.Audience[0]) {
return nil, fmt.Errorf("invalid audience [%v]", claims.Audience[0])
if foundAudIndex < 0 {
return nil, fmt.Errorf("invalid audience [%v]", claims)
}

userInfo := &service.UserInfoResponse{}
Expand Down Expand Up @@ -170,7 +175,7 @@ func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}
scopes.Insert(auth.ScopeAll)
}

return auth.NewIdentityContext(claims.Audience[0], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo), nil
return auth.NewIdentityContext(claims.Audience[foundAudIndex], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo), nil
}

// NewProvider creates a new OAuth2 Provider that is able to do OAuth 2-legged and 3-legged flows. It'll lookup
Expand Down
44 changes: 44 additions & 0 deletions auth/authzserver/provider_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,5 +235,49 @@ func Test_verifyClaims(t *testing.T) {
assert.Equal(t, sets.NewString("all", "offline"), identityCtx.Scopes())
assert.Equal(t, "my-client", identityCtx.AppID())
assert.Equal(t, "123", identityCtx.UserID())
assert.Equal(t, "https://myserver", identityCtx.Audience())
})

t.Run("Multiple audience", func(t *testing.T) {
identityCtx, err := verifyClaims(sets.NewString("https://myserver", "https://myserver2"),
map[string]interface{}{
"aud": []string{"https://myserver"},
"user_info": map[string]interface{}{
"preferred_name": "John Doe",
},
"sub": "123",
"client_id": "my-client",
"scp": []interface{}{"all", "offline"},
})

assert.NoError(t, err)
assert.Equal(t, "https://myserver", identityCtx.Audience())
})

t.Run("No matching audience", func(t *testing.T) {
_, err := verifyClaims(sets.NewString("https://myserver", "https://myserver2"),
map[string]interface{}{
"aud": []string{"https://myserver3"},
})

assert.Error(t, err)
assert.Contains(t, err.Error(), "invalid audience")
})

t.Run("Use first matching audience", func(t *testing.T) {
identityCtx, err := verifyClaims(sets.NewString("https://myserver", "https://myserver2", "https://myserver3"),
map[string]interface{}{
"aud": []string{"https://myserver", "https://myserver2"},
"user_info": map[string]interface{}{
"preferred_name": "John Doe",
},
"sub": "123",
"client_id": "my-client",
"scp": []interface{}{"all", "offline"},
})

assert.NoError(t, err)
assert.Equal(t, "https://myserver", identityCtx.Audience())
})

}
1 change: 1 addition & 0 deletions auth/interfaces/context.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ type AuthenticationContext interface {
// to the platform.
type IdentityContext interface {
UserID() string
Audience() string
AppID() string
UserInfo() *service.UserInfoResponse
AuthenticatedAt() time.Time
Expand Down
32 changes: 32 additions & 0 deletions auth/interfaces/mocks/identity_context.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.