Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4135 from travisspencer/4134-fix-aud 

Issue #4134 - Validate audience (aud) claim as list or string, not just string
This commit is contained in:
Lachlan 2019-10-08 09:28:22 +11:00 committed by GitHub
parent acf4eeff65 1c6202658e
commit 6e698df4d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
View File

@ -27,6 +27,7 @@ import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import org.eclipse.jetty.util.IO;
@ -123,8 +124,7 @@ public class OpenIdCredentials implements Serializable
throw new IllegalArgumentException("Issuer Identifier MUST exactly match the iss Claim");
// The aud (audience) Claim MUST contain the client_id value.
if (!configuration.getClientId().equals(claims.get("aud")))
throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
validateAudience();
// If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value.
Object azp = claims.get("azp");
@ -132,6 +132,28 @@ public class OpenIdCredentials implements Serializable
throw new IllegalArgumentException("Authorized party claim value should be the client_id");
}
private void validateAudience()
{
Object aud = claims.get("aud");
String clientId = configuration.getClientId();
boolean isString = aud instanceof String;
boolean isList = aud instanceof Object[];
boolean isValidType = isString || isList;
if (isString && !clientId.equals(aud))
throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
else if (isList)
{
if (!Arrays.asList((Object[])aud).contains(clientId))
throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
if (claims.get("azp") == null)
throw new IllegalArgumentException("A multi-audience ID token needs to contain an azp claim");
}
else if (!isValidType)
throw new IllegalArgumentException("Audience claim was not valid");
}
public boolean isExpired()
{
if (authCode != null || claims == null)