This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
JWT login does not support aud
claim as string, only array
#14327
Labels
A-SSO
Single Sign-On (maybe OIDC)
O-Uncommon
Most users are unlikely to come across this or unexpected workflow
S-Minor
Blocks non-critical functionality, workarounds exist.
T-Defect
Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Description
First off, big thanks to everyone who works on Synapse and Matrix. You're the best!
I have a "main" app which issues JWT tokens to clients, which then use it to log in to Synapse and acquire access/refresh tokens. I am hardening this process with validation of the
iss
andaud
claims.My token generation library is flattening the single audience ID to a string claim value, which is allowed by the RFC but Synapse rejects.
My clue that this might be the case was in the documentation, which wraps a single audience value in an array.
Here's the relevant section of the RFC:
The "application specific" wording there I think gives Synapse some leeway in saying, look we only accept an array, but I think it's better to accept tokens formatted either way, at the risk of creating some "WTF" moments in token validation.
Steps to reproduce
aud
claim.Homeserver
Self-hosted
Synapse Version
1.68
Installation Method
Docker (matrixdotorg/synapse)
Platform
GKE
Relevant log output
Anything else that would be useful to know?
No response
The text was updated successfully, but these errors were encountered: