matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-07-28 17:02:01 +03:00
Code Activity

Handle when aud OIDC claim is an Array (#4584)

Browse Source 
* Handle when `aud` OIDC claim is an Array

The `aud` claim of OIDC id_tokens [can be an array](ce6d694639/src/Claims.ts (L92)) but the existing logic
incorrectly assumes `aud` is always a string.

This PR adds the necessary check.

* Clarify `aud` OIDC claim check

* Fix for prettier

---------

Co-authored-by: David Baker <dbkr@users.noreply.github.com>
This commit is contained in:
Liam Diprose
2024-12-17 00:38:34 +13:00
committed by GitHub
parent 315e81b7de
commit 693bb22ba1
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
spec/unit/oidc/validate.spec.ts
View File

@ -170,6 +170,23 @@ describe("validateIdToken()", () => {
expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
});
it("should not throw when audience is an array that includes clientId", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
aud: [clientId],
});
expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow();
});
it("should throw when audience is an array that does not include clientId", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
aud: [`${clientId},uiop`, "asdf"],
});
expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken));
expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
});
it("should throw when nonce does not match", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,