From c4726aec3463119b10d953271f2c544bfd10d783 Mon Sep 17 00:00:00 2001
From: Michal Cichra <michal@cichra.cz>
Date: Wed, 3 Apr 2019 09:57:50 +0200
Subject: [PATCH] [oidc] do not use`aud` JWT claim

it might not contain client_id, so better not to use it
https://github.com/3scale/APIcast/issues/988#issuecomment-477972776
---
 gateway/src/apicast/oauth/oidc.lua | 7 +------
 spec/oauth/oidc_spec.lua           | 3 ++-
 t/apicast-policy-3scale-batcher.t  | 2 +-
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/gateway/src/apicast/oauth/oidc.lua b/gateway/src/apicast/oauth/oidc.lua
index 5b28f1c00..b2a312c54 100644
--- a/gateway/src/apicast/oauth/oidc.lua
+++ b/gateway/src/apicast/oauth/oidc.lua
@@ -195,14 +195,9 @@ function _M:transform_credentials(credentials, cache_key)
 
   local payload = jwt_obj.payload
 
-  local app_id = payload.azp or payload.aud
+  local app_id = payload.azp
   local ttl = timestamp_to_seconds_from_now(payload.exp)
 
-
-  --- http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
-  -- It MAY also contain identifiers for other audiences.
-  -- In the general case, the aud value is an array of case sensitive strings.
-  -- In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
   if type(app_id) == 'table' then
     app_id = app_id[1]
   end
diff --git a/spec/oauth/oidc_spec.lua b/spec/oauth/oidc_spec.lua
index 113bb50e2..0d9907dc5 100644
--- a/spec/oauth/oidc_spec.lua
+++ b/spec/oauth/oidc_spec.lua
@@ -74,7 +74,8 @@ describe('OIDC', function()
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
-          aud = {'ce3b2e5e','notused'},
+          aud = {'notused'},
+          azp = 'ce3b2e5e',
           sub = 'someone',
           exp = ngx.now() + 10,
         },
diff --git a/t/apicast-policy-3scale-batcher.t b/t/apicast-policy-3scale-batcher.t
index 5f216e9a5..b5fc7f464 100644
--- a/t/apicast-policy-3scale-batcher.t
+++ b/t/apicast-policy-3scale-batcher.t
@@ -610,7 +610,7 @@ init_by_lua_block {
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });