Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audience mismatch during ID Token validation despite a valid authorized party #727

Closed
5 of 6 tasks
jsamol opened this issue Aug 9, 2021 · 2 comments
Closed
5 of 6 tasks
Labels

Comments

@jsamol
Copy link

jsamol commented Aug 9, 2021

Checklist:

  • I am using the latest release
  • I searched for existing GitHub issues
  • I read the documentation
  • I verified the client configuration matches the information in the identity provider (or I am using dynamic client registration)
  • I am either using a custom URI scheme or https with App Links for client redirect.
  • I can reproduce the issue in the demo app (optional)

Configuration

  • Version: 0.9.1
  • Integration: native(Java/Kotlin)
  • Identity provider: Google

Issue Description

Currently, the library throws an AuthorizationException during the ID token validation, while processing a TokenResponse, if the token contains an authorized party (azp) matching the client ID and audience (aud) which is a single value other than the client ID, e.g.:

{
  "azp": "client_id",
  "aud": "my_audience",
  ...
}

According to the OIDC spec Section 2 azp Claim:

OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.

this is a valid case and should not be rejected during the validation. However, from what I saw in the code, the ID token validation takes only the OIDC spec Section 3.1.3.7. rule no. 3 into account:

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

The problem doesn't occur in AppAuth-iOS, where the validation is performed according to the both mentioned above sections.

@agologan
Copy link
Collaborator

Check it out in v0.10.0 and let me know if this works as expected.

@jsamol
Copy link
Author

jsamol commented Aug 17, 2021

Yes, it's working in v0.10.0. Thanks for a quick response 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants