Issue #6618 - azp claim should not be required for single value aud array

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
This commit is contained in:
Lachlan Roberts 2021-08-16 10:45:26 +10:00
parent 10ef07b9e7
commit 9af67f8bff
3 changed files with 49 additions and 7 deletions

View File

@ -35,6 +35,7 @@ public class JwtDecoder
* @param jwt the JWT to decode.
* @return the map of claims encoded in the JWT.
*/
@SuppressWarnings("unchecked")
public static Map<String, Object> decode(String jwt)
{
if (LOG.isDebugEnabled())
@ -54,7 +55,6 @@ public class JwtDecoder
Object parsedJwtHeader = json.fromJSON(jwtHeaderString);
if (!(parsedJwtHeader instanceof Map))
throw new IllegalStateException("Invalid JWT header");
@SuppressWarnings("unchecked")
Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
if (LOG.isDebugEnabled())
LOG.debug("JWT Header: {}", jwtHeader);

View File

@ -15,6 +15,7 @@ package org.eclipse.jetty.security.openid;
import java.io.Serializable;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
@ -95,7 +96,7 @@ public class OpenIdCredentials implements Serializable
claims = JwtDecoder.decode(idToken);
if (LOG.isDebugEnabled())
LOG.debug("claims {}", claims);
validateClaims(configuration);
validateClaims(claims, configuration);
}
finally
{
@ -105,14 +106,14 @@ public class OpenIdCredentials implements Serializable
}
}
private void validateClaims(OpenIdConfiguration configuration) throws Exception
static void validateClaims(Map<String, Object> claims, OpenIdConfiguration configuration) throws Exception
{
// Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.
if (!configuration.getIssuer().equals(claims.get("iss")))
throw new AuthenticationException("Issuer Identifier MUST exactly match the iss Claim");
// The aud (audience) Claim MUST contain the client_id value.
validateAudience(configuration);
validateAudience(claims, configuration);
// If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value.
Object azp = claims.get("azp");
@ -126,7 +127,7 @@ public class OpenIdCredentials implements Serializable
throw new AuthenticationException("ID Token has expired");
}
private void validateAudience(OpenIdConfiguration configuration) throws AuthenticationException
private static void validateAudience(Map<String, Object> claims, OpenIdConfiguration configuration) throws AuthenticationException
{
Object aud = claims.get("aud");
String clientId = configuration.getClientId();
@ -138,10 +139,11 @@ public class OpenIdCredentials implements Serializable
throw new AuthenticationException("Audience Claim MUST contain the client_id value");
else if (isList)
{
if (!Arrays.asList((Object[])aud).contains(clientId))
List<Object> list = Arrays.asList((Object[])aud);
if (!list.contains(clientId))
throw new AuthenticationException("Audience Claim MUST contain the client_id value");
if (claims.get("azp") == null)
if (list.size() > 1 && claims.get("azp") == null)
throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
}
else if (!isValidType)

View File

@ -0,0 +1,40 @@
//
// ========================================================================
// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//
package org.eclipse.jetty.security.openid;
import java.util.HashMap;
import java.util.Map;
import org.eclipse.jetty.client.HttpClient;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
public class OpenIdCredentialsTest
{
@Test
public void testSingleAudienceValueInArray() throws Exception
{
String issuer = "myIssuer123";
String clientId = "myClientId456";
OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());
Map<String, Object> claims = new HashMap<>();
claims.put("iss", issuer);
claims.put("aud", new String[]{clientId});
claims.put("exp", System.currentTimeMillis() + 5000);
assertDoesNotThrow(() -> OpenIdCredentials.validateClaims(claims, configuration));
}
}