Merge pull request #1007 from 3scale/oidc-aud-check

[oidc] do not use`aud` JWT claim [THREESCALE-2263]

Author: davidor

.gitignore

@@ -10,6 +10,7 @@ lua_modules/
 tmp/benchmark/
 .bash_history
 .cache/
+.cpanm
 /vendor/cache
 /.docker
 /tmp/

CHANGELOG.md

@@ -15,6 +15,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed incorrect description of the `client` attribute in the Keycloak role check policy [PR #1005](https://github.com/3scale/APIcast/pull/1005), [THREESCALE_1867](https://issues.jboss.org/browse/THREESCALE-1867)
 - Segfault when normalizing some client certificates [PR #1006](https://github.com/3scale/APIcast/pull/1006)
 
+### Removed
+
+- Checking `aud` JWT claim for app_id when using OIDC integration [PR #1007](https://github.com/3scale/APIcast/pull/1007)
+
 ## [3.5.0-rc1] - 2019-03-29
 
 ### Changed

gateway/src/apicast/oauth/oidc.lua

@@ -195,14 +195,9 @@ function _M:transform_credentials(credentials, cache_key)
 
   local payload = jwt_obj.payload
 
-  local app_id = payload.azp or payload.aud
+  local app_id = payload.azp
   local ttl = timestamp_to_seconds_from_now(payload.exp)
 
-
-  --- http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
-  -- It MAY also contain identifiers for other audiences.
-  -- In the general case, the aud value is an array of case sensitive strings.
-  -- In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
   if type(app_id) == 'table' then
     app_id = app_id[1]
   end

spec/oauth/oidc_spec.lua

@@ -74,7 +74,8 @@ describe('OIDC', function()
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
-          aud = {'ce3b2e5e','notused'},
+          aud = {'notused'},
+          azp = 'ce3b2e5e',
           sub = 'someone',
           exp = ngx.now() + 10,
         },

t/apicast-oidc.t

@@ -51,7 +51,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -106,7 +107,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -145,7 +147,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -199,7 +202,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });

t/apicast-policy-3scale-batcher.t

@@ -610,7 +610,8 @@ init_by_lua_block {
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });