JWT Assertion payload does not match RFC example when generated with OIDC relying party #452
Comments
|
@muhlemmer @livio-a Is there a reason why we have an array in the aud? |
|
I've just checked section 4 and can't see a conflict in the implementation.
Further the JWT RFC 7519 (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3) states that
We certainly improve the serialization of a single string audience into a string, but i wouldn't classify it as a bug then. |
|
I second @livio-a his conclusion that our current implementation is valid. I just checked it without knowing he already replied.
@Kunde21, can you be specific which systems are breaking on this? How would those systems handle multiple audience values? Would be strange if they work properly with multiple values (which they should) and break on a single value in an array. Have you considered raising a bug or ticket at the "other" system?
@livio-a we would end up again with more custom json marshalling on any claims bearing object, if we want to be consistent. Or use a separate type for all claims that allow the switch between string or array and have a marshal method on that. Either way it sounds like more code to maintain. I would abstain until it's proven to be absolutely necessary by the OP or others. |
muhlemmer
added
enhancement
muhlemmer
changed the title
You're right. As the RFC even uses MAY and not SHOULD it's even less necessary. |
|
The context here are FAPI compliant auth servers at financial institutions that take a very strict reading of the FAPI part 2 Section 5.2.3: The token exchange fails for any value of |
|
And a FAPI compliance test is failing with a single value was set to an array? Or is this a theoretical discussion? |
|
This is an active, production system that is being integrated upon. The oidc server is not going to change in this scenario. |
|
After some digging we found this conformance suite discussion. Practically, the FAPI test suite introduces the error as it gives the idea the Audience should be a string. But that's a bug is the suite. Meanwhile, what I get from this comment is that the conformance test automatically flattens the array and therefore accepting implicitly a single element array during RP testing. If it helps, I would be open to a PR that implements a |
Preflight Checklist
Version
v2.11.0
Describe the problem caused by this bug
JWT assertion payload does not match format from example in rfc 7523 - section 4 causing errors when connecting to systems that require audience be a string value.
To reproduce
Create a relying party with the
WithJWTProfileoption, attempt a token exchange.Generated assertion body:
{ "iss": "2da2387b-f75f-4c86-a0fe-3109d8aa6943", "sub": "2da2387b-f75f-4c86-a0fe-3109d8aa6943", "aud": [ "https://127.0.0.1/" ], "iat": 1696409593, "exp": 1696413193 }Screenshots
No response
Expected behavior
Expected assertion body:
{ "iss": "2da2387b-f75f-4c86-a0fe-3109d8aa6943", "sub": "2da2387b-f75f-4c86-a0fe-3109d8aa6943", "aud": "https://127.0.0.1/", "iat": 1696409593, "exp": 1696413193 }Additional Context
No response
The text was updated successfully, but these errors were encountered: