JWT login does not support aud claim as string, only array

[bradjones1]

Description

First off, big thanks to everyone who works on Synapse and Matrix. You're the best!

I have a "main" app which issues JWT tokens to clients, which then use it to log in to Synapse and acquire access/refresh tokens. I am hardening this process with validation of the iss and aud claims.

My token generation library is flattening the single audience ID to a string claim value, which is allowed by the RFC but Synapse rejects.

My clue that this might be the case was in the documentation, which wraps a single audience value in an array.

Here's the relevant section of the RFC:

...
In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value.  In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value.  The
interpretation of audience values is generally application specific.
Use of this claim is OPTIONAL.

The "application specific" wording there I think gives Synapse some leeway in saying, look we only accept an array, but I think it's better to accept tokens formatted either way, at the risk of creating some "WTF" moments in token validation.

Steps to reproduce

• Specify an audience for validation of JWT tokens
• Attempt login with a token that contains a string value for the aud claim.
• Synapse rejects the JWT as invalid.

Homeserver

Self-hosted

Synapse Version

1.68

Installation Method

Docker (matrixdotorg/synapse)

Platform

GKE

Relevant log output

n/a

Anything else that would be useful to know?

No response

[clokep]

Maybe there's an option to tweak somewhere around

synapse/synapse/rest/client/login.py

Lines 466 to 467 in 7911e28

	if self.jwt_audiences is not None:
	claim_options["aud"] = {"values": self.jwt_audiences, "essential": True}

?

[bradjones1]

That looks like the line!