diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2024-09-02 05:51:15 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-02 05:51:15 +1000 |
| commit | eefd06e81b61a113269de3e38ae6ed7d096665ee (patch) | |
| tree | af157c407eb1a65e902bb8f989d06d79010c576f /internal/storage | |
| parent | 9597c9938d1d645ac2ba9303e1b7d35244a1db5d (diff) | |
fix(oidc): jwt assertions aud overly strict (#7798)
This fixes an issue where all JWT assertions are strictly checked against the Token URL. RFC7523 Section 3 states that the JWT must contain an 'aud' claim that identifies the authorization server and that the token endpoint URL may be used, not that it must be used. RFC9126 clarifies this that it should be the issuer value, and that both the token endpoint URL and pushed authorization request endpoint URL must also be accepted. This fix facilitate this. In addition it fixes a log message, and an edge case where using a JWT assertion could trigger a handled panic.
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Diffstat (limited to 'internal/storage')
| -rw-r--r-- | internal/storage/sql_provider.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/internal/storage/sql_provider.go b/internal/storage/sql_provider.go index 8d962f600..7154a404e 100644 --- a/internal/storage/sql_provider.go +++ b/internal/storage/sql_provider.go @@ -1304,7 +1304,7 @@ func (p *SQLProvider) LoadOAuth2BlacklistedJTI(ctx context.Context, signature st blacklistedJTI = &model.OAuth2BlacklistedJTI{} if err = p.db.GetContext(ctx, blacklistedJTI, p.sqlSelectOAuth2BlacklistedJTI, signature); err != nil { - return nil, fmt.Errorf("error selecting oauth2 blacklisted JTI with signature '%s': %w", blacklistedJTI.Signature, err) + return nil, fmt.Errorf("error selecting oauth2 blacklisted JTI with signature '%s': %w", signature, err) } return blacklistedJTI, nil |