Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check OpenID audience when validating token. #3541

Merged
merged 11 commits into from
Jun 5, 2024
Merged

Check OpenID audience when validating token. #3541

merged 11 commits into from
Jun 5, 2024

Conversation

evankanderson
Copy link
Member

Summary

We don't currently validate the audience claim in the JWT. The OpenID basic client implementation spec says:

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

As part of this, introduce a unique minder audience in the development setup. Note that this includes development setup changes to add this audience to both the openid scope as well as a new minder-audience scope. This means that existing clients will receive the minder scopes as part of the openid claim; this will allow existing clients to work with new server, assuming the keycloak configuration for the server is updated.

For users running a stand-alone Minder installation, they will need to update their Keycloak configuration similar to the example for development.

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Manual testing and updated unit tests.

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@evankanderson evankanderson requested a review from a team as a code owner June 5, 2024 13:48
@evankanderson evankanderson changed the title Finding our audience Check OpenID audience when validating token. Jun 5, 2024
@coveralls
Copy link

Coverage Status

coverage: 53.237% (-0.004%) from 53.241%
when pulling 4c289eb on evankanderson:finding-our-audience
into d986b0c on stacklok:main.

@coveralls
Copy link

Coverage Status

coverage: 53.247% (+0.006%) from 53.241%
when pulling 11dd9a8 on evankanderson:finding-our-audience
into d986b0c on stacklok:main.

@evankanderson evankanderson merged commit 1ec9ffc into mindersec:main Jun 5, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evankanderson @coveralls @eleftherias