-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package JWT: allow clients to optionally enforce matching of aud, iss and sub claims #419
Conversation
// token or the `aud` claim is missing. | ||
func MustMatchAudience(aud string) DecoderParserOption { | ||
return func(p *decoderParser) { | ||
p.expectedAud = aud |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - the encoded claims can specify multiple audiences, but the decoder just checks that the aud that is "itself" is in that list.
See decoder.go line 123:
if parserOptions.expectedAud != "" {
opts = append(opts, jwt.WithAudience(parserOptions.expectedAud))
}
That "jwt.WithAudience()" goes onto be implemented inside go-jwt as:
func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
aud, err := claims.GetAudience()
if err != nil {
return err
}
if len(aud) == 0 {
return errorIfRequired(required, "aud")
}
// use a var here to keep constant time compare when looping over a number of claims
result := false
var stringClaims string
for _, a := range aud {
if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 {
result = true
}
stringClaims = stringClaims + a
}
// case where "" is sent in one or many aud claims
if stringClaims == "" {
return errorIfRequired(required, "aud")
}
return errorIfFalse(result, ErrTokenInvalidAudience)
}
Which loops through all the audiences and check that "this" audience is in that list.
Make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left one comment but otherwise looks good
|
Purpose: Allow clients to enforce matching aud, iss and sub claims
Changes: