[oidc] do not useaud JWT claim

it might not contain client_id, so better not to use it #988 (comment)
3scale · Apr 3, 2019 · c4726ae · c4726ae
1 parent 6f6aeb0
commit c4726ae
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 8 deletions.
diff --git a/gateway/src/apicast/oauth/oidc.lua b/gateway/src/apicast/oauth/oidc.lua
@@ -195,14 +195,9 @@ function _M:transform_credentials(credentials, cache_key)
 
   local payload = jwt_obj.payload
 
-  local app_id = payload.azp or payload.aud
+  local app_id = payload.azp
   local ttl = timestamp_to_seconds_from_now(payload.exp)
 
-
-  --- http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
-  -- It MAY also contain identifiers for other audiences.
-  -- In the general case, the aud value is an array of case sensitive strings.
-  -- In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
   if type(app_id) == 'table' then
     app_id = app_id[1]
   end

diff --git a/spec/oauth/oidc_spec.lua b/spec/oauth/oidc_spec.lua
@@ -74,7 +74,8 @@ describe('OIDC', function()
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
-          aud = {'ce3b2e5e','notused'},
+          aud = {'notused'},
+          azp = 'ce3b2e5e',
           sub = 'someone',
           exp = ngx.now() + 10,
         },

diff --git a/t/apicast-policy-3scale-batcher.t b/t/apicast-policy-3scale-batcher.t
@@ -610,7 +610,7 @@ init_by_lua_block {
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });