Support token validation against multiple issuers and audiences

internal/conf/config.go

@@ -65,8 +65,8 @@ func loadEnv(basePath *string, loadFromHome bool) (*Env, error) {
 		SecretsManager: viper.GetString("SECRETS_MANAGER"),
 		Auth: &AuthConfig{
 			WellKnown:  viper.GetString("TOKEN_WELL_KNOWN"),
-			Audience:   viper.GetString("TOKEN_AUDIENCE"),
-			Issuer:     viper.GetString("TOKEN_ISSUER"),
+			Audience:   viper.GetStringSlice("TOKEN_AUDIENCE"),
+			Issuer:     viper.GetStringSlice("TOKEN_ISSUER"),
 			Middleware: viper.GetString("AUTHORIZATION_MIDDLEWARE"),
 		},
 		DlJwtConfig: &DatalayerJwtConfig{

internal/conf/config_test.go

@@ -91,8 +91,8 @@ func TestParseEnvFromFile(t *testing.T) {
 
 		g.It("should have correct auth values", func() {
 			g.Assert(env.Auth.WellKnown).Equal("https://example.io/jwks/.well-known/jwks.json")
-			g.Assert(env.Auth.Audience).Equal("https://example.io")
-			g.Assert(env.Auth.Issuer).Equal("https://example.io")
+			g.Assert(env.Auth.Audience).Equal([]string{"https://example.io"})
+			g.Assert(env.Auth.Issuer).Equal([]string{"https://example.io"})
 			g.Assert(env.Auth.Middleware).Equal("noop")
 
 		})

internal/conf/environment.go

@@ -47,8 +47,8 @@ type Env struct {
 
 type AuthConfig struct {
 	WellKnown  string
-	Audience   string
-	Issuer     string
+	Audience   []string
+	Issuer     []string
 	Middleware string
 }
 

internal/web/middleware.go

@@ -133,8 +133,8 @@ func setupJWT(env *conf.Env, core *security.ServiceCore, skipper func(c echo.Con
 	// if node security is enabled
 	if env.Auth.Middleware == "local" {
 		config.NodePublicKey = core.NodeInfo.KeyPairs[0].PublicKey
-		config.Issuer = "node:" + core.NodeInfo.NodeId
-		config.Audience = "node:" + core.NodeInfo.NodeId
+		config.Issuer = []string{"node:" + core.NodeInfo.NodeId}
+		config.Audience = []string{"node:" + core.NodeInfo.NodeId}
 	}
 
 	return middlewares.JWTHandler(config)

internal/web/middlewares/authentication.go

@@ -36,8 +36,8 @@ type (
 
 		Cache     *jwk.Cache
 		Wellknown string
-		Audience  string
-		Issuer    string
+		Audience  []string
+		Issuer    []string
 
 		// This is set if Node security is enabled
 		NodePublicKey *rsa.PublicKey
@@ -158,12 +158,22 @@ func (config *JwtConfig) ValidateToken(auth string) (*jwt.Token, error) {
 	audience := config.Audience
 	issuer := config.Issuer
 
-	checkAud := claims.VerifyAudience(audience, false)
+	checkAud := false
+	for _, aud := range audience {
+		if claims.VerifyAudience(aud, false) {
+			checkAud = true
+		}
+	}
 	if !checkAud {
 		err = errors.New("invalid audience")
 	}
 
-	checkIss := claims.VerifyIssuer(issuer, false)
+	checkIss := false
+	for _, iss := range issuer {
+		if claims.VerifyIssuer(iss, false) {
+			checkIss = true
+		}
+	}
 	if !checkIss {
 		err = errors.New("invalid issuer")
 	}