From 07af31d0045725596564e31499f621e3903b6a72 Mon Sep 17 00:00:00 2001 From: OvermindDL1 Date: Thu, 20 Sep 2018 13:17:34 -0600 Subject: [PATCH] Fix #4877 to follow the OpenID Connect Audiences spec (#4878) Signed-off-by: Gabriel Robertson --- Gopkg.lock | 6 ++-- .../providers/openidConnect/openidConnect.go | 30 ++++++++++++++++++- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index 7126f73642..056d8fd6f7 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -547,7 +547,7 @@ revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf" [[projects]] - digest = "1:fb22af9d8c1a6166ad299705648db460ba2c28a830f7f6cdd830019d7c3fd96f" + digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f" name = "github.com/markbates/goth" packages = [ ".", @@ -562,8 +562,8 @@ "providers/twitter", ] pruneopts = "NUT" - revision = "4933f155d89c3c52ab4ca545c6602cf4a1e87913" - version = "1.45.5" + revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3" + version = "v1.46.1" [[projects]] digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3" diff --git a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go index 44419ba15f..a4ff1d40ff 100644 --- a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go +++ b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go @@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) { audience := getClaimValue(claims, []string{audienceClaim}) if audience != p.ClientKey { - return time.Time{}, errors.New("audience in token does not match client key") + found := false + audiences := getClaimValues(claims, []string{audienceClaim}) + for _, aud := range audiences { + if aud == p.ClientKey { + found = true + break + } + } + if !found { + return time.Time{}, errors.New("audience in token does not match client key") + } } issuer := getClaimValue(claims, []string{issuerClaim}) @@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string { return "" } +func getClaimValues(data map[string]interface{}, claims []string) []string { + var result []string + + for _, claim := range claims { + if value, ok := data[claim]; ok { + if stringValues, ok := value.([]interface{}); ok { + for _, stringValue := range stringValues { + if s, ok := stringValue.(string); ok && len(s) > 0 { + result = append(result, s) + } + } + } + } + } + + return result +} + // decodeJWT decodes a JSON Web Token into a simple map // http://openid.net/specs/draft-jones-json-web-token-07.html func decodeJWT(jwt string) (map[string]interface{}, error) {