Skip to content

explicitly set audience in samples #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Erwinvandervalk merged 1 commit into from
Dec 12, 2025
Merged

explicitly set audience in samples #307

Erwinvandervalk merged 1 commit into from
Dec 12, 2025

Conversation

@Erwinvandervalk
Copy link
Contributor

@Erwinvandervalk Erwinvandervalk commented Dec 12, 2025
edited
Loading

There is a vulnerability in the samples:

The Vulnerability (CVE-2025-27370/CVE-2025-27371):

 - A malicious authorization server can trick a client into creating a JWT with an attacker-controlled aud (audience) claim
 - When the aud is set to the token endpoint URL (e.g., https://attacker.com/connect/token), the attacker can reuse that JWT to impersonate the client at a different

authorization server that has the same token endpoint path
- This is called "audience injection" and allows authentication bypass

By explicitly setting the audience to the authorization server's issuer identifier (the authority) rather than the full token endpoint URL, we prevent the vulnerability because:

 - The JWT is now bound to the specific authorization server's issuer
 - Even if an attacker controls a malicious AS, they cannot reuse the JWT at another AS since the audience would be different
 - This aligns with the OIDF remediation guidance that states: "Clients should only insert the correct AS issuer identifier as the aud claim"

@Erwinvandervalk Erwinvandervalk self-assigned this Dec 12, 2025
@Erwinvandervalk Erwinvandervalk marked this pull request as ready for review December 12, 2025 10:34
Copilot AI review requested due to automatic review settings December 12, 2025 10:34
Copilot AI reviewed Dec 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability (CVE-2025-27370/CVE-2025-27371) in JWT client assertion samples by changing the audience claim from the token endpoint URL to the authorization server's issuer identifier. This prevents audience injection attacks where a malicious authorization server could reuse JWTs at different authorization servers.

Key changes:

  • Replaced dynamic TokenEndpoint audience values with hardcoded issuer identifier "https://demo.duendesoftware.com"
  • Added explanatory comments in WebJarJwt sample referencing the OIDF security advisory

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
access-token-management/samples/WorkerDI/ClientAssertionService.cs Updated audience from token endpoint to issuer identifier
access-token-management/samples/Worker/ClientAssertionService.cs Updated audience from token endpoint to issuer identifier
access-token-management/samples/WebJarJwt/ClientAssertionService.cs Updated audience from token endpoint to issuer identifier with explanatory comments

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Erwinvandervalk Erwinvandervalk merged commit f82c261 into main Dec 12, 2025
3 checks passed
@Erwinvandervalk Erwinvandervalk deleted the ev/atm/authority-in-samples branch December 12, 2025 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@maartenba maartenba maartenba approved these changes

@pgermishuys pgermishuys pgermishuys approved these changes

Assignees

@Erwinvandervalk Erwinvandervalk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Erwinvandervalk @maartenba @pgermishuys