Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #6618 - azp claim should not be required for single value aud array #6620

Merged
merged 3 commits into from Aug 18, 2021
Merged

Issue #6618 - azp claim should not be required for single value aud array #6620

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9af67f8
Issue #6618 - azp claim should not be required for single value aud a…
lachlan-roberts Aug 16, 2021
af316e5
Issue #6618 - Use a new OpenIdCredentials constructor instead of stat…
lachlan-roberts Aug 17, 2021
ffc7f05
Merge remote-tracking branch 'origin/jetty-10.0.x' into jetty-10.0.x-…
lachlan-roberts Aug 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion jetty-openid/src/main/java/org/eclipse/jetty/security/openid/JwtDecoder.java
View file
Open in desktop
Expand Up @@ -35,6 +35,7 @@ public class JwtDecoder
* @param jwt the JWT to decode.
* @return the map of claims encoded in the JWT.
*/
@SuppressWarnings("unchecked")
public static Map<String, Object> decode(String jwt)
{
if (LOG.isDebugEnabled())
Expand All @@ -54,7 +55,6 @@ public static Map<String, Object> decode(String jwt)
Object parsedJwtHeader = json.fromJSON(jwtHeaderString);
if (!(parsedJwtHeader instanceof Map))
throw new IllegalStateException("Invalid JWT header");
@SuppressWarnings("unchecked")
Map<String, Object> jwtHeader = (Map<String, Object>)parsedJwtHeader;
if (LOG.isDebugEnabled())
LOG.debug("JWT Header: {}", jwtHeader);
Expand Down
21 changes: 18 additions & 3 deletions jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
View file
Open in desktop
Expand Up @@ -15,6 +15,7 @@

import java.io.Serializable;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;

Expand Down Expand Up @@ -45,6 +46,14 @@ public class OpenIdCredentials implements Serializable
private String authCode;
private Map<String, Object> response;
private Map<String, Object> claims;
private boolean verified = false;

public OpenIdCredentials(Map<String, Object> claims)
{
this.redirectUri = null;
this.authCode = null;
this.claims = claims;
}

public OpenIdCredentials(String authCode, String redirectUri)
{
Expand Down Expand Up @@ -95,14 +104,19 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
claims = JwtDecoder.decode(idToken);
if (LOG.isDebugEnabled())
LOG.debug("claims {}", claims);
validateClaims(configuration);
}
finally
{
// reset authCode as it can only be used once
authCode = null;
}
}

if (!verified)
{
validateClaims(configuration);
verified = true;
}
}

private void validateClaims(OpenIdConfiguration configuration) throws Exception
Expand Down Expand Up @@ -138,10 +152,11 @@ private void validateAudience(OpenIdConfiguration configuration) throws Authenti
throw new AuthenticationException("Audience Claim MUST contain the client_id value");
else if (isList)
{
if (!Arrays.asList((Object[])aud).contains(clientId))
List<Object> list = Arrays.asList((Object[])aud);
if (!list.contains(clientId))
throw new AuthenticationException("Audience Claim MUST contain the client_id value");

if (claims.get("azp") == null)
if (list.size() > 1 && claims.get("azp") == null)
throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
}
else if (!isValidType)
Expand Down
40 changes: 40 additions & 0 deletions jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
View file
Open in desktop
@@ -0,0 +1,40 @@
//
// ========================================================================
// Copyright (c) 1995-2021 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
// which is available at https://www.apache.org/licenses/LICENSE-2.0.
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.security.openid;

import java.util.HashMap;
import java.util.Map;

import org.eclipse.jetty.client.HttpClient;
import org.junit.jupiter.api.Test;

import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;

public class OpenIdCredentialsTest
{
@Test
public void testSingleAudienceValueInArray() throws Exception
{
String issuer = "myIssuer123";
String clientId = "myClientId456";
OpenIdConfiguration configuration = new OpenIdConfiguration(issuer, "", "", clientId, "", new HttpClient());

Map<String, Object> claims = new HashMap<>();
claims.put("iss", issuer);
claims.put("aud", new String[]{clientId});
claims.put("exp", System.currentTimeMillis() + 5000);

assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
}
}