Merge pull request #6636 from eclipse/jetty-9.4.x-6618-OpenID-audArray

Issue #6618 - azp claim should not be required for single value aud array (jetty-9.4)
jetty · Aug 18, 2021 · b848c87 · b848c87
2 parents 693663a + c20be7d
commit b848c87
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 5 deletions.
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
@@ -39,6 +39,7 @@ public class JwtDecoder
      * @param jwt the JWT to decode.
      * @return the map of claims encoded in the JWT.
      */
+    @SuppressWarnings("unchecked")
     public static Map<String, Object> decode(String jwt)
     {
         if (LOG.isDebugEnabled())
@@ -56,7 +57,7 @@ public static Map<String, Object> decode(String jwt)
         Object parsedJwtHeader = JSON.parse(jwtHeaderString);
         if (!(parsedJwtHeader instanceof Map))
             throw new IllegalStateException("Invalid JWT header");
-        Map<String, Object> jwtHeader = (Map)parsedJwtHeader;
+        Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
         if (LOG.isDebugEnabled())
             LOG.debug("JWT Header: {}", jwtHeader);
 
@@ -69,7 +70,7 @@ and the Token Endpoint (which it is in this flow), the TLS server validation
         Object parsedClaims = JSON.parse(jwtClaimString);
         if (!(parsedClaims instanceof Map))
             throw new IllegalStateException("Could not decode JSON for JWT claims.");
-        return (Map)parsedClaims;
+        return (Map<String, Object>)parsedClaims;
     }
 
     static byte[] padJWTSection(String unpaddedEncodedJwtSection)

diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -20,6 +20,7 @@
 
 import java.io.Serializable;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
@@ -50,6 +51,14 @@ public class OpenIdCredentials implements Serializable
     private String authCode;
     private Map<String, Object> response;
     private Map<String, Object> claims;
+    private boolean verified = false;
+
+    public OpenIdCredentials(Map<String, Object> claims)
+    {
+        this.redirectUri = null;
+        this.authCode = null;
+        this.claims = claims;
+    }
 
     public OpenIdCredentials(String authCode, String redirectUri)
     {
@@ -100,14 +109,19 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
                 claims = JwtDecoder.decode(idToken);
                 if (LOG.isDebugEnabled())
                     LOG.debug("claims {}", claims);
-                validateClaims(configuration);
             }
             finally
             {
                 // reset authCode as it can only be used once
                 authCode = null;
             }
         }
+
+        if (!verified)
+        {
+            validateClaims(configuration);
+            verified = true;
+        }
     }
 
     private void validateClaims(OpenIdConfiguration configuration) throws Exception
@@ -143,10 +157,11 @@ private void validateAudience(OpenIdConfiguration configuration) throws Authenti
             throw new AuthenticationException("Audience Claim MUST contain the client_id value");
         else if (isList)
         {
-            if (!Arrays.asList((Object[])aud).contains(clientId))
+            List<Object> list = Arrays.asList((Object[])aud);
+            if (!list.contains(clientId))
                 throw new AuthenticationException("Audience Claim MUST contain the client_id value");
 
-            if (claims.get("azp") == null)
+            if (list.size() > 1 && claims.get("azp") == null)
                 throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
         }
         else if (!isValidType)

diff --git a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
@@ -0,0 +1,45 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.security.openid;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.eclipse.jetty.client.HttpClient;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+
+public class OpenIdCredentialsTest
+{
+    @Test
+    public void testSingleAudienceValueInArray() throws Exception
+    {
+        String issuer = "myIssuer123";
+        String clientId = "myClientId456";
+        OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());
+
+        Map<String, Object> claims = new HashMap<>();
+        claims.put("iss", issuer);
+        claims.put("aud", new String[]{clientId});
+        claims.put("exp", System.currentTimeMillis() + 5000);
+
+        assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
+    }
+}