The id_token declaration contains multiple audience(`aud`), without authorized party (`azp`), this situation will always be wrong

Question

The id_token declaration contains multiple audience(`aud`), without authorized party (`azp`), this situation will always be wrong

yiuiua opened this issue 2 years ago · comments

Describe the bug
When I use Vault to pass OIDC certification, The returned id_token claim contains multiple audiences(aud), without authorized party (azp), which resulted in an error output. Provider. VerifyIDToken: invalid id_token : multiple audiences and authorized party (%!s(<nil>)) is not equal client_id (vault-oidc-client-id) , I traced back to this by looking at the relevant source code, hair this code, there is a simple logic problem.

To Reproduce
Steps to reproduce the behavior:

vualt oidc config

vault server -dev -dev-root-token-id=myroot -log-level=debug > /tmp/vault.log 2>&1 & 
sleep 1 
export VAULT_TOKEN=myroot 
export VAULT_ADDR=http://127.0.0.1:8200 

cat - > /tmp/devpolicy. hcl <<EOF 
path "/secret/*" { 
 capabilities = ["read", "list"] 
} 
EOF 
vault policy write dev /tmp/devpolicy.hcl 

vault auth enable oidc 

vault write auth/oidc/config \ 
    oidc_discovery_url="http://localhost:8082/api/oauth2" \ 
    oidc_client_id="vault-oidc-client-id" \ 
    oidc_client_secret="admin" \ 
    default_role="demo" 

vault write auth/oidc/role/demo \ 
    bound_audiences="vault-oidc-client-id" \ 
    allowed_redirect_uris="http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \ 
    allowed_redirect_uris="http://127.0.0.1:8250/oidc/callback" \ 
    user_claim="sub" \ 
    policies=dev

Expected behavior
If the ID Token contains multiple audiences, the Client should verify that an azp Claim is present

reference

Screenshots

id_token （This is the id_token returned by OIDC OP, parsed through jwt.io）

id_token = eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoiTGtobjVWbWFHeHd6TldBVGNhRVhidyIsImF1ZCI6WyJodHRwczovL215LWNsaWVudC5teS1hcHBsaWNhdGlvbi5jb20iLCJ2YXVsdC1vaWRjLWNsaWVudC1pZCJdLCJhdXRoX3RpbWUiOjE2NTkyNTE2MzcsImV4cCI6MTY1OTI3MzIzNywiaWF0IjoxNjU5MjUxNjQ1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODIvYXBpL29hdXRoMiIsImp0aSI6ImYwYmE2NTE4LTUxZTktNDA4My04ZDhmLThlOTViOWYzNTI1ZiIsIm5vbmNlIjoibl92cEVVckdLYXpsZlk0Wm5aNXBmMiIsInJhdCI6MTY1OTI1MTYzNywic3ViIjoicGV0ZXIifQ.LOZUPJb_C3MbOXIjjMk8509SAHwAIot-VjztKkIbkplHe0FHfNOIbijx8HfyGURzqNNSgvmvta-57jdL5XVJZQzBZ4TDihUjyEzOPr-cdeZMla3FpwZRC7ftIUzuNxB4-ntfT0_5_LWVoVfC32B5cnxrxxYuVQNB-B8gz5-5ZE9K6e6W-s3x-7ltPIex4XJlNOM8JVjghJEH_381zUFKu2_sD-PjON1sHzgVeLHcX_WbomztKm6ZUhn-DOPiTtIsAwyFNGARUT80WJ-LOuFa7uD0Rvun0Jjs0OC6ReJ9rGad_z4F3rIm7lNQH4PDCkUuUe_aEYFfJJjO2NTog63b2g

vault

Desktop (please complete the following information):

OS: win10
Browser: chrome
Version: 103.0.5060.134

Austin Gebauer · Answer 1 · Tue Aug 09 2022 13:05:46 GMT+0800 (China Standard Time)

Hi, @zhangheng-w. Can you clarify how the error that you've received is different from the expected behavior? As far as I can tell, this library is behaving according to the spec.

Specifically, in ID Token Validation:

If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.

If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.

Your ID token has multiple audiences and no azp claim. The code verifies that the azp claim is present (4) and that its client_id is the claim value (5). I suppose we could verify that it's present (4) without strictly checking that it's equal to the client_id, but I don't see harm in checking that the azp is equal to the client_id at the same time.