fix: append client id to aud (#71)

* fix: append client id to aud * fix: append client id to aud * Update pkg/oidc/token.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2020-11-16 08:26:19 +01:00 · 2020-11-16 08:26:19 +01:00 · 13b14734b9
commit 13b14734b9
parent 2370409a55
2 changed files with 15 additions and 2 deletions
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -48,8 +48,11 @@ func EmptyAccessTokenClaims() AccessTokenClaims {
 	return new(accessTokenClaims)
 }

-func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id string) AccessTokenClaims {
+func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id, clientID string) AccessTokenClaims {
 	now := time.Now().UTC()
+	if len(audience) == 0 {
+		audience = append(audience, clientID)
+	}
 	return &accessTokenClaims{
 		Issuer:     issuer,
 		Subject:    subject,
@ -201,6 +204,7 @@ func EmptyIDTokenClaims() IDTokenClaims {
 }

 func NewIDTokenClaims(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string) IDTokenClaims {
+	audience = AppendClientIDToAudience(clientID, audience)
 	return &idTokenClaims{
 		Issuer:                              issuer,
 		Audience:                            audience,
@ -441,3 +445,12 @@ func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, erro

 	return utils.HashString(hash, claim, true), nil
 }
+
+func AppendClientIDToAudience(clientID string, audience []string) []string {
+	for _, aud := range audience {
+		if aud == clientID {
+			return audience
+		}
+	}
+	return append(audience, clientID)
+}
--- a/pkg/op/token.go
+++ b/pkg/op/token.go
@ -83,7 +83,7 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
 }

 func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error) {
-	claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id)
+	claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id, client.GetID())
 	if client != nil {
 		restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes())
 		privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))