1
0
Fork 0

Fix #4877 to follow the OpenID Connect Audiences spec (#4878)

Signed-off-by: Gabriel Robertson <overminddl1@gmail.com>
This commit is contained in:
OvermindDL1 2018-09-20 13:17:34 -06:00 committed by Lauris BH
parent 364c029246
commit 07af31d004
2 changed files with 32 additions and 4 deletions

6
Gopkg.lock generated
View file

@ -547,7 +547,7 @@
revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf" revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf"
[[projects]] [[projects]]
digest = "1:fb22af9d8c1a6166ad299705648db460ba2c28a830f7f6cdd830019d7c3fd96f" digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f"
name = "github.com/markbates/goth" name = "github.com/markbates/goth"
packages = [ packages = [
".", ".",
@ -562,8 +562,8 @@
"providers/twitter", "providers/twitter",
] ]
pruneopts = "NUT" pruneopts = "NUT"
revision = "4933f155d89c3c52ab4ca545c6602cf4a1e87913" revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3"
version = "1.45.5" version = "v1.46.1"
[[projects]] [[projects]]
digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3" digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3"

View file

@ -200,8 +200,18 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) { func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
audience := getClaimValue(claims, []string{audienceClaim}) audience := getClaimValue(claims, []string{audienceClaim})
if audience != p.ClientKey { if audience != p.ClientKey {
found := false
audiences := getClaimValues(claims, []string{audienceClaim})
for _, aud := range audiences {
if aud == p.ClientKey {
found = true
break
}
}
if !found {
return time.Time{}, errors.New("audience in token does not match client key") return time.Time{}, errors.New("audience in token does not match client key")
} }
}
issuer := getClaimValue(claims, []string{issuerClaim}) issuer := getClaimValue(claims, []string{issuerClaim})
if issuer != p.openIDConfig.Issuer { if issuer != p.openIDConfig.Issuer {
@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string {
return "" return ""
} }
func getClaimValues(data map[string]interface{}, claims []string) []string {
var result []string
for _, claim := range claims {
if value, ok := data[claim]; ok {
if stringValues, ok := value.([]interface{}); ok {
for _, stringValue := range stringValues {
if s, ok := stringValue.(string); ok && len(s) > 0 {
result = append(result, s)
}
}
}
}
}
return result
}
// decodeJWT decodes a JSON Web Token into a simple map // decodeJWT decodes a JSON Web Token into a simple map
// http://openid.net/specs/draft-jones-json-web-token-07.html // http://openid.net/specs/draft-jones-json-web-token-07.html
func decodeJWT(jwt string) (map[string]interface{}, error) { func decodeJWT(jwt string) (map[string]interface{}, error) {