From 1c6202658e73039163a8a6dda9ce9e9bfac200b6 Mon Sep 17 00:00:00 2001
From: Travis Spencer <travis@curity.io>
Date: Sat, 28 Sep 2019 17:23:47 +0200
Subject: [PATCH] Validate aud claim as list or string, not just string

Signed-off-by: Travis Spencer <travis@curity.io>
---
 .../security/openid/OpenIdCredentials.java    | 27 +++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
index 85df9e28b04..f2ddede3e90 100644
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -25,7 +25,9 @@ import java.io.Serializable;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Base64;
+import java.util.List;
 import java.util.Map;
 
 import org.eclipse.jetty.util.IO;
@@ -122,8 +124,7 @@ public class OpenIdCredentials implements Serializable
             throw new IllegalArgumentException("Issuer Identifier MUST exactly match the iss Claim");
 
         // The aud (audience) Claim MUST contain the client_id value.
-        if (!configuration.getClientId().equals(claims.get("aud")))
-            throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
+        validateAudience();
 
         // If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value.
         Object azp = claims.get("azp");
@@ -131,6 +132,28 @@ public class OpenIdCredentials implements Serializable
             throw new IllegalArgumentException("Authorized party claim value should be the client_id");
     }
 
+    private void validateAudience()
+    {
+        Object aud = claims.get("aud");
+        String clientId = configuration.getClientId();
+        boolean isString = aud instanceof String;
+        boolean isList = aud instanceof Object[];
+        boolean isValidType = isString || isList;
+
+        if (isString && !clientId.equals(aud))
+            throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
+        else if (isList)
+        {
+            if (!Arrays.asList((Object[])aud).contains(clientId))
+                throw new IllegalArgumentException("Audience Claim MUST contain the client_id value");
+
+            if (claims.get("azp") == null)
+                throw new IllegalArgumentException("A multi-audience ID token needs to contain an azp claim");
+        }
+        else if (!isValidType)
+            throw new IllegalArgumentException("Audience claim was not valid");
+    }
+
     public boolean isExpired()
     {
         if (authCode != null || claims == null)