Unsupported multiples audience for a SSO (Zitadel)

[perrze]

Hi,
I tried to connect Warpgate to a ZITADEL SSO.
Problem, this OIDC provider send multiples strings for the aud claims.
Example:

"aud": [
    "246260630850437123@project",
    "246263290592821251@project_old_name",
    "246361787010646019" // Project ID
]

I guess that Warpgate want that there is only the client ID in the aud claims.

I tried looking at the Warpgate code, didn't understand where I could modify it.

When I tries to connect, it raises : (SsoError::ClaimsVerification)
claims verification error: Invalid audiences: "246361787010646019" is not a trusted audience

Does a fix exist (in code or in config) to allow this ?

Thanks for your help !

[linhxhust]

Me too. Please help me to fix it.

[Eugeny]

Multiple audiences should already be supported, what does your SSO section of the config file look like? Particularly, what's the client_id value?

[perrze]

The client ID is the first entry in thé aud scope: "246260630850437123@project"

And both "246263290592821251@project_old_name"and "246361787010646019" will trigger the error.
The scopes that I request is "roles"

[Eugeny]

Thanks - I've added an additional_trusted_audiences provider option (array of strings) where you can add the other audiences. Per the OIDC spec clients have to reject any additional audiences unless explicitly trusted ✌️

[perrze]

Thanks for your help !

[WilliamB78]

Sorry to dig this issue up, but i tried to add the following config with the last version of warpgate (0.10.1) and it does not seem to work, any idea @Eugeny ?

sso_providers:
   - name: custom
     provider:
     ...
       additional_trusted_audiences: ["123456789098765432"]
     ...

[Eugeny]

@WilliamB78 are you getting the same error as OP? (not a trusted audience)

[WilliamB78]

@Eugeny Yes i am getting this error :

claims verification error: Invalid audiences: 123456789098765432 is not a trusted audience