matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-07-31 15:24:23 +03:00
Code Activity

Handle when aud OIDC claim is an Array (#4584)

Browse Source 
* Handle when `aud` OIDC claim is an Array

The `aud` claim of OIDC id_tokens [can be an array](ce6d694639/src/Claims.ts (L92)) but the existing logic
incorrectly assumes `aud` is always a string.

This PR adds the necessary check.

* Clarify `aud` OIDC claim check

* Fix for prettier

---------

Co-authored-by: David Baker <dbkr@users.noreply.github.com>
This commit is contained in:
Liam Diprose
2024-12-17 00:38:34 +13:00
committed by GitHub
parent 315e81b7de
commit 693bb22ba1
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
spec/unit/oidc/validate.spec.ts
View File

@ -170,6 +170,23 @@ describe("validateIdToken()", () => {
expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience")); expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
}); });
it("should not throw when audience is an array that includes clientId", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
aud: [clientId],
});
expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow();
});
it("should throw when audience is an array that does not include clientId", () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
aud: [`${clientId},uiop`, "asdf"],
});
expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken));
expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
});
it("should throw when nonce does not match", () => { it("should throw when nonce does not match", () => {
mocked(jwtDecode).mockReturnValue({ mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken, ...validDecodedIdToken,

3
src/oidc/validate.ts
View File

@ -179,7 +179,8 @@ export const validateIdToken = (
* The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client. * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
* EW: Don't accept tokens with other untrusted audiences * EW: Don't accept tokens with other untrusted audiences
* */ * */
if (claims.aud !== clientId) { const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
if (!sanitisedAuds.includes(clientId)) {
throw new Error("Invalid audience"); throw new Error("Invalid audience");
} }