cap icon indicating copy to clipboard operation
cap copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

The id_token declaration contains multiple audience(`aud`), without authorized party (`azp`), this situation will always be wrong

Open yiuiua opened this issue 2 years ago • 1 comments

Describe the bug When I use Vault to pass OIDC certification, The returned id_token claim contains multiple audiences(aud), without authorized party (azp), which resulted in an error output. Provider. VerifyIDToken: invalid id_token : multiple audiences and authorized party (%!s(<nil>)) is not equal client_id (vault-oidc-client-id) , I traced back to this by looking at the relevant source code, hair this code, there is a simple logic problem.

To Reproduce Steps to reproduce the behavior:

  1. vualt oidc config
vault server -dev -dev-root-token-id=myroot -log-level=debug > /tmp/vault.log 2>&1 & 
sleep 1 
export VAULT_TOKEN=myroot 
export VAULT_ADDR=http://127.0.0.1:8200 

cat - > /tmp/devpolicy. hcl <<EOF 
path "/secret/*" { 
 capabilities = ["read", "list"] 
} 
EOF 
vault policy write dev /tmp/devpolicy.hcl 

vault auth enable oidc 

vault write auth/oidc/config \ 
    oidc_discovery_url="http://localhost:8082/api/oauth2" \ 
    oidc_client_id="vault-oidc-client-id" \ 
    oidc_client_secret="admin" \ 
    default_role="demo" 

vault write auth/oidc/role/demo \ 
    bound_audiences="vault-oidc-client-id" \ 
    allowed_redirect_uris="http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \ 
    allowed_redirect_uris="http://127.0.0.1:8250/oidc/callback" \ 
    user_claim="sub" \ 
    policies=dev

Expected behavior If the ID Token contains multiple audiences, the Client should verify that an azp Claim is present

reference

  • https://security.stackexchange.com/questions/145818/openid-connect-standard-authorized-party-azp-contradiction
  • https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

Screenshots

  • id_token (This is the id_token returned by OIDC OP, parsed through jwt.io
id_token = eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoiTGtobjVWbWFHeHd6TldBVGNhRVhidyIsImF1ZCI6WyJodHRwczovL215LWNsaWVudC5teS1hcHBsaWNhdGlvbi5jb20iLCJ2YXVsdC1vaWRjLWNsaWVudC1pZCJdLCJhdXRoX3RpbWUiOjE2NTkyNTE2MzcsImV4cCI6MTY1OTI3MzIzNywiaWF0IjoxNjU5MjUxNjQ1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODIvYXBpL29hdXRoMiIsImp0aSI6ImYwYmE2NTE4LTUxZTktNDA4My04ZDhmLThlOTViOWYzNTI1ZiIsIm5vbmNlIjoibl92cEVVckdLYXpsZlk0Wm5aNXBmMiIsInJhdCI6MTY1OTI1MTYzNywic3ViIjoicGV0ZXIifQ.LOZUPJb_C3MbOXIjjMk8509SAHwAIot-VjztKkIbkplHe0FHfNOIbijx8HfyGURzqNNSgvmvta-57jdL5XVJZQzBZ4TDihUjyEzOPr-cdeZMla3FpwZRC7ftIUzuNxB4-ntfT0_5_LWVoVfC32B5cnxrxxYuVQNB-B8gz5-5ZE9K6e6W-s3x-7ltPIex4XJlNOM8JVjghJEH_381zUFKu2_sD-PjON1sHzgVeLHcX_WbomztKm6ZUhn-DOPiTtIsAwyFNGARUT80WJ-LOuFa7uD0Rvun0Jjs0OC6ReJ9rGad_z4F3rIm7lNQH4PDCkUuUe_aEYFfJJjO2NTog63b2g

image

  • vault image

Desktop (please complete the following information):

  • OS: win10
  • Browser: chrome
  • Version: 103.0.5060.134

yiuiua avatar Jul 31 '22 07:07 yiuiua

Hi, @zhangheng-w. Can you clarify how the error that you've received is different from the expected behavior? As far as I can tell, this library is behaving according to the spec.

Specifically, in ID Token Validation:

  1. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
  2. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.

Your ID token has multiple audiences and no azp claim. The code verifies that the azp claim is present (4) and that its client_id is the claim value (5). I suppose we could verify that it's present (4) without strictly checking that it's equal to the client_id, but I don't see harm in checking that the azp is equal to the client_id at the same time.

austingebauer avatar Aug 09 '22 05:08 austingebauer