Skip to content

OpenID Connect is not parsing the JWT according to the spec, and thus is breaking #4877

New issue
New issue
Closed
Closed
OpenID Connect is not parsing the JWT according to the spec, and thus is breaking#4877
@OvermindDL1

Description

@OvermindDL1
OvermindDL1
opened on Sep 6, 2018
  • Gitea version (or commit ref): bd1bf2a (current master as of this post)
  • Git version: 2.7.4
  • Operating system: Ubuntu Server
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: N/A

Description

At this line of code:

gitea/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go

Line 202 in bd1bf2a

if audience != p.ClientKey { 

	if audience != p.ClientKey {

It is performing a string comparison between audience and p.ClientKey, however, according to the OpenID Connect spec that that very source file links to just 3 lines higher states (emphasis mine):

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

And in fact an array is being passed in by some OpenID Connect servers, which is causing this to fail and be unusable.

The fix is fairly trivial conceptually, just need to perform a string comparison if aud is a string, else need to test if p.ClientKey is a member of the array of strings that is then in aud.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions