Merge pull request #6620 from eclipse/jetty-10.0.x-6618-OpenID-audArray

Issue #6618 - azp claim should not be required for single value aud array
2021-08-19 09:36:33 +10:00 · 2021-08-19 09:36:33 +10:00 · ee24872d09
parent 1acf54ba59 ffc7f0595e
commit ee24872d09
3 changed files with 59 additions and 4 deletions
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
@ -35,6 +35,7 @@ public class JwtDecoder
     * @param jwt the JWT to decode.
     * @return the map of claims encoded in the JWT.
     */
+    @SuppressWarnings("unchecked")
    public static Map<String, Object> decode(String jwt)
    {
        if (LOG.isDebugEnabled())
@ -54,7 +55,6 @@ public class JwtDecoder
        Object parsedJwtHeader = json.fromJSON(jwtHeaderString);
        if (!(parsedJwtHeader instanceof Map))
            throw new IllegalStateException("Invalid JWT header");
-        @SuppressWarnings("unchecked")
        Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
        if (LOG.isDebugEnabled())
            LOG.debug("JWT Header: {}", jwtHeader);
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@ -15,6 +15,7 @@ package org.eclipse.jetty.security.openid;

 import java.io.Serializable;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;

@ -45,6 +46,14 @@ public class OpenIdCredentials implements Serializable
    private String authCode;
    private Map<String, Object> response;
    private Map<String, Object> claims;
+    private boolean verified = false;
+
+    public OpenIdCredentials(Map<String, Object> claims)
+    {
+        this.redirectUri = null;
+        this.authCode = null;
+        this.claims = claims;
+    }

    public OpenIdCredentials(String authCode, String redirectUri)
    {
@ -95,7 +104,6 @@ public class OpenIdCredentials implements Serializable
                claims = JwtDecoder.decode(idToken);
                if (LOG.isDebugEnabled())
                    LOG.debug("claims {}", claims);
-                validateClaims(configuration);
            }
            finally
            {
@ -103,6 +111,12 @@ public class OpenIdCredentials implements Serializable
                authCode = null;
            }
        }
+
+        if (!verified)
+        {
+            validateClaims(configuration);
+            verified = true;
+        }
    }

    private void validateClaims(OpenIdConfiguration configuration) throws Exception
@ -138,10 +152,11 @@ public class OpenIdCredentials implements Serializable
            throw new AuthenticationException("Audience Claim MUST contain the client_id value");
        else if (isList)
        {
-            if (!Arrays.asList((Object[])aud).contains(clientId))
+            List<Object> list = Arrays.asList((Object[])aud);
+            if (!list.contains(clientId))
                throw new AuthenticationException("Audience Claim MUST contain the client_id value");

-            if (claims.get("azp") == null)
+            if (list.size() > 1 && claims.get("azp") == null)
                throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
        }
        else if (!isValidType)
--- a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
+++ b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
@ -0,0 +1,40 @@
+//
+// ========================================================================
+// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License v. 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+// ========================================================================
+//
+
+package org.eclipse.jetty.security.openid;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.eclipse.jetty.client.HttpClient;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+public class OpenIdCredentialsTest
+{
+    @Test
+    public void testSingleAudienceValueInArray() throws Exception
+    {
+        String issuer = "myIssuer123";
+        String clientId = "myClientId456";
+        OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());
+
+        Map<String, Object> claims = new HashMap<>();
+        claims.put("iss", issuer);
+        claims.put("aud", new String[]{clientId});
+        claims.put("exp", System.currentTimeMillis() + 5000);
+
+        assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
+    }
+}