Skip to content

Commit

Permalink
Merge pull request #6620 from eclipse/jetty-10.0.x-6618-OpenID-audArray
Browse files Browse the repository at this point in the history
Issue #6618 - azp claim should not be required for single value aud array
  • Loading branch information
lachlan-roberts committed Aug 18, 2021
2 parents 1acf54b + ffc7f05 commit ee24872
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 4 deletions.
Expand Up @@ -35,6 +35,7 @@ public class JwtDecoder
* @param jwt the JWT to decode.
* @return the map of claims encoded in the JWT.
*/
@SuppressWarnings("unchecked")
public static Map<String, Object> decode(String jwt)
{
if (LOG.isDebugEnabled())
Expand All @@ -54,7 +55,6 @@ public static Map<String, Object> decode(String jwt)
Object parsedJwtHeader = json.fromJSON(jwtHeaderString);
if (!(parsedJwtHeader instanceof Map))
throw new IllegalStateException("Invalid JWT header");
@SuppressWarnings("unchecked")
Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
if (LOG.isDebugEnabled())
LOG.debug("JWT Header: {}", jwtHeader);
Expand Down
Expand Up @@ -15,6 +15,7 @@

import java.io.Serializable;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;

Expand Down Expand Up @@ -45,6 +46,14 @@ public class OpenIdCredentials implements Serializable
private String authCode;
private Map<String, Object> response;
private Map<String, Object> claims;
private boolean verified = false;

public OpenIdCredentials(Map<String, Object> claims)
{
this.redirectUri = null;
this.authCode = null;
this.claims = claims;
}

public OpenIdCredentials(String authCode, String redirectUri)
{
Expand Down Expand Up @@ -95,14 +104,19 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
claims = JwtDecoder.decode(idToken);
if (LOG.isDebugEnabled())
LOG.debug("claims {}", claims);
validateClaims(configuration);
}
finally
{
// reset authCode as it can only be used once
authCode = null;
}
}

if (!verified)
{
validateClaims(configuration);
verified = true;
}
}

private void validateClaims(OpenIdConfiguration configuration) throws Exception
Expand Down Expand Up @@ -138,10 +152,11 @@ private void validateAudience(OpenIdConfiguration configuration) throws Authenti
throw new AuthenticationException("Audience Claim MUST contain the client_id value");
else if (isList)
{
if (!Arrays.asList((Object[])aud).contains(clientId))
List<Object> list = Arrays.asList((Object[])aud);
if (!list.contains(clientId))
throw new AuthenticationException("Audience Claim MUST contain the client_id value");

if (claims.get("azp") == null)
if (list.size() > 1 && claims.get("azp") == null)
throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
}
else if (!isValidType)
Expand Down
@@ -0,0 +1,40 @@
//
// ========================================================================
// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.security.openid;

import java.util.HashMap;
import java.util.Map;

import org.eclipse.jetty.client.HttpClient;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;

public class OpenIdCredentialsTest
{
@Test
public void testSingleAudienceValueInArray() throws Exception
{
String issuer = "myIssuer123";
String clientId = "myClientId456";
OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());

Map<String, Object> claims = new HashMap<>();
claims.put("iss", issuer);
claims.put("aud", new String[]{clientId});
claims.put("exp", System.currentTimeMillis() + 5000);

assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
}
}

0 comments on commit ee24872

Please sign in to comment.