Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ID token azp claim should not be required if aud is single value array #6618

Closed
agavrilov76 opened this issue Aug 14, 2021 · 2 comments
Closed

ID token azp claim should not be required if aud is single value array #6618

agavrilov76 opened this issue Aug 14, 2021 · 2 comments
Assignees
@lachlan-roberts
Labels
Bug For general bugs on Jetty side
Projects
Jetty 9.4.44 FROZEN Jetty 10.0.7/11.0.7 FROZEN

Comments

@agavrilov76
Copy link

Jetty version(s)
9,10,11

Java version/vendor (use: java -version)
N/A

OS type/version
N/A

Description
If audience of an ID token is an array containing a single value, the azp claim should not be required.
https://openid.net/specs/openid-connect-core-1_0.html#IDToken

How to reproduce?

A sample ID token:

eyJraWQiOiIxIiwiYWxnIjoiUlMyNTYifQ.eyJhY3IiOiIxIiwic3ViIjoiNTg5ODQyMjA1MzgyMzg0ODQ0OCIsImF1ZCI6WyJ0ZWxlbm9yZGlnaXRhbC1kb2Jwb3J0YWx0ZWxlbm9yaWQtd2ViIl0sImF1dGhfdGltZSI6MTYyODk0ODA2NywiYW1yIjpbIlNTTyJdLCJpc3MiOiJodHRwczpcL1wvc2lnbmluLnRlbGVub3JpZC1zdGFnaW5nLmNvbVwvb2F1dGgiLCJ0ZF9zbHMiOmZhbHNlLCJleHAiOjE2Mjg5NTI5MzgsImlhdCI6MTYyODk0OTAzOH0.hKSYTSxJj3vzqKrvjDGqu45hrYnrnKTRrh9BmoGUADO48OGkh0GC9H2Qm529qi8iQKO5PXK6qc1lnDpfX8xv0zmwYSPJHwRrtFEXjNLrEIsuTdtrK59Tf7t7LXdxduZI95YfWtEqbPQ7EO-ykDCQev44pE0ry4IvrsFRYUyf7HU

causes the following exception:

WARN  [2021-08-14 14:23:01,889] org.eclipse.jetty.security.openid.OpenIdLoginService: 
! org.eclipse.jetty.security.openid.OpenIdCredentials$AuthenticationException: A multi-audience ID token needs to contain an azp claim
! at org.eclipse.jetty.security.openid.OpenIdCredentials.validateAudience(OpenIdCredentials.java:150)
! at org.eclipse.jetty.security.openid.OpenIdCredentials.validateClaims(OpenIdCredentials.java:120)
! at org.eclipse.jetty.security.openid.OpenIdCredentials.redeemAuthCode(OpenIdCredentials.java:103)
! at org.eclipse.jetty.security.openid.OpenIdLoginService.login(OpenIdLoginService.java:87)
! at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:67)
! at org.eclipse.jetty.security.openid.OpenIdAuthenticator.login(OpenIdAuthenticator.java:170)
@agavrilov76 agavrilov76 added the Bug For general bugs on Jetty side label Aug 14, 2021
@agavrilov76 agavrilov76 changed the title azp claim should not be required If audience of ID token is since value array ID token azp claim should not be required aud is single value array Aug 14, 2021
@agavrilov76 agavrilov76 changed the title ID token azp claim should not be required aud is single value array ID token azp claim should not be required if aud is single value array Aug 14, 2021
lachlan-roberts added a commit that referenced this issue Aug 16, 2021
@lachlan-roberts
Issue #6618 - azp claim should not be required for single value aud a…
9af67f8 
…rray

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Aug 16, 2021
Merged
@lachlan-roberts
Copy link
Contributor

It looks like you're sending the aud as an array type with a single value, Jetty incorrectly assumes that it contains multiple audiences but there is only one.

I have put up PR to fix (see #6620).

@lachlan-roberts lachlan-roberts self-assigned this Aug 16, 2021
lachlan-roberts added a commit that referenced this issue Aug 17, 2021
@lachlan-roberts
Issue #6618 - Use a new OpenIdCredentials constructor instead of stat…
af316e5 
…ic method.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts added this to To do in Jetty 9.4.44 FROZEN via automation Aug 18, 2021
@lachlan-roberts lachlan-roberts added this to To do in Jetty 10.0.7/11.0.7 FROZEN via automation Aug 18, 2021
lachlan-roberts added a commit that referenced this issue Aug 18, 2021
@lachlan-roberts
Issue #6618 - azp claim should not be required for single value aud a…
61f7e57 
…rray

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
lachlan-roberts added a commit that referenced this issue Aug 18, 2021
@lachlan-roberts
Issue #6618 - Use a new OpenIdCredentials constructor instead of stat…
3e6446e 
…ic method.

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
@lachlan-roberts lachlan-roberts mentioned this issue Aug 18, 2021
Merged
lachlan-roberts added a commit that referenced this issue Aug 18, 2021
@lachlan-roberts
Merge pull request #6620 from eclipse/jetty-10.0.x-6618-OpenID-audArray
ee24872 
Issue #6618 - azp claim should not be required for single value aud array
lachlan-roberts added a commit that referenced this issue Aug 18, 2021
@lachlan-roberts
Merge pull request #6636 from eclipse/jetty-9.4.x-6618-OpenID-audArray
b848c87 
Issue #6618 - azp claim should not be required for single value aud array (jetty-9.4)
@lachlan-roberts
Copy link
Contributor

Fixed in both 9.4.x branch and 10/11.0.x branches.

Jetty 9.4.44 FROZEN automation moved this from To do to Done Aug 18, 2021
Jetty 10.0.7/11.0.7 FROZEN automation moved this from To do to Done Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lachlan-roberts lachlan-roberts

Labels
Bug For general bugs on Jetty side
Projects
No open projects
Jetty 10.0.7/11.0.7 FROZEN
Done
Jetty 9.4.44 FROZEN
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@agavrilov76 @lachlan-roberts