Fix #4877 to follow the OpenID Connect Audiences spec (#4878)

Signed-off-by: Gabriel Robertson <overminddl1@gmail.com>
release/v1.15
OvermindDL1 2018-09-20 13:17:34 -06:00 committed by Lauris BH
parent 364c029246
commit 07af31d004
2 changed files with 32 additions and 4 deletions

6
Gopkg.lock generated
View File

@ -547,7 +547,7 @@
revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf"
[[projects]]
digest = "1:fb22af9d8c1a6166ad299705648db460ba2c28a830f7f6cdd830019d7c3fd96f"
digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f"
name = "github.com/markbates/goth"
packages = [
".",
@ -562,8 +562,8 @@
"providers/twitter",
]
pruneopts = "NUT"
revision = "4933f155d89c3c52ab4ca545c6602cf4a1e87913"
version = "1.45.5"
revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3"
version = "v1.46.1"
[[projects]]
digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3"

View File

@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
audience := getClaimValue(claims, []string{audienceClaim})
if audience != p.ClientKey {
return time.Time{}, errors.New("audience in token does not match client key")
found := false
audiences := getClaimValues(claims, []string{audienceClaim})
for _, aud := range audiences {
if aud == p.ClientKey {
found = true
break
}
}
if !found {
return time.Time{}, errors.New("audience in token does not match client key")
}
}
issuer := getClaimValue(claims, []string{issuerClaim})
@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string {
return ""
}
func getClaimValues(data map[string]interface{}, claims []string) []string {
var result []string
for _, claim := range claims {
if value, ok := data[claim]; ok {
if stringValues, ok := value.([]interface{}); ok {
for _, stringValue := range stringValues {
if s, ok := stringValue.(string); ok && len(s) > 0 {
result = append(result, s)
}
}
}
}
}
return result
}
// decodeJWT decodes a JSON Web Token into a simple map
// http://openid.net/specs/draft-jones-json-web-token-07.html
func decodeJWT(jwt string) (map[string]interface{}, error) {