From 13b14734b91deeeaeca058dd531141c99f8195d2 Mon Sep 17 00:00:00 2001 From: Fabi <38692350+fgerschwiler@users.noreply.github.com> Date: Mon, 16 Nov 2020 08:26:19 +0100 Subject: [PATCH] fix: append client id to aud (#71) * fix: append client id to aud * fix: append client id to aud * Update pkg/oidc/token.go Co-authored-by: Livio Amstutz Co-authored-by: Livio Amstutz --- pkg/oidc/token.go | 15 ++++++++++++++- pkg/op/token.go | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/oidc/token.go b/pkg/oidc/token.go index 99f18c7..bd84e64 100644 --- a/pkg/oidc/token.go +++ b/pkg/oidc/token.go @@ -48,8 +48,11 @@ func EmptyAccessTokenClaims() AccessTokenClaims { return new(accessTokenClaims) } -func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id string) AccessTokenClaims { +func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id, clientID string) AccessTokenClaims { now := time.Now().UTC() + if len(audience) == 0 { + audience = append(audience, clientID) + } return &accessTokenClaims{ Issuer: issuer, Subject: subject, @@ -201,6 +204,7 @@ func EmptyIDTokenClaims() IDTokenClaims { } func NewIDTokenClaims(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string) IDTokenClaims { + audience = AppendClientIDToAudience(clientID, audience) return &idTokenClaims{ Issuer: issuer, Audience: audience, @@ -441,3 +445,12 @@ func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, erro return utils.HashString(hash, claim, true), nil } + +func AppendClientIDToAudience(clientID string, audience []string) []string { + for _, aud := range audience { + if aud == clientID { + return audience + } + } + return append(audience, clientID) +} diff --git a/pkg/op/token.go b/pkg/op/token.go index 4fd4c0a..057ab5b 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -83,7 +83,7 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) { } func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error) { - claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id) + claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id, client.GetID()) if client != nil { restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes()) privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))