3scale · davidor · Apr 9, 2019 · Apr 9, 2019 · Apr 3, 2019
@@ -10,6 +10,7 @@ lua_modules/
 tmp/benchmark/
 .bash_history
 .cache/
+.cpanm
 /vendor/cache
 /.docker
 /tmp/
@@ -15,6 +15,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed incorrect description of the `client` attribute in the Keycloak role check policy [PR #1005](https://github.com/3scale/APIcast/pull/1005), [THREESCALE_1867](https://issues.jboss.org/browse/THREESCALE-1867)
 - Segfault when normalizing some client certificates [PR #1006](https://github.com/3scale/APIcast/pull/1006)
 
+### Removed
+
+- Checking `aud` JWT claim for app_id when using OIDC integration [PR #1007](https://github.com/3scale/APIcast/pull/1007)
+
 ## [3.5.0-rc1] - 2019-03-29
 
 ### Changed

@@ -195,14 +195,9 @@ function _M:transform_credentials(credentials, cache_key)
 
   local payload = jwt_obj.payload
 
-  local app_id = payload.azp or payload.aud
+  local app_id = payload.azp
   local ttl = timestamp_to_seconds_from_now(payload.exp)
 
-
-  --- http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
-  -- It MAY also contain identifiers for other audiences.
-  -- In the general case, the aud value is an array of case sensitive strings.
-  -- In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
   if type(app_id) == 'table' then
     app_id = app_id[1]
   end

@@ -74,7 +74,8 @@ describe('OIDC', function()
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
-          aud = {'ce3b2e5e','notused'},
+          aud = {'notused'},
+          azp = 'ce3b2e5e',
           sub = 'someone',
           exp = ngx.now() + 10,
         },

@@ -51,7 +51,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -106,7 +107,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -145,7 +147,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });
@@ -199,7 +202,8 @@ to_json({
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::private_key, alg => 'RS256', extra_headers => { kid => 'somekid' });

@@ -610,7 +610,8 @@ init_by_lua_block {
 --- more_headers eval
 use Crypt::JWT qw(encode_jwt);
 my $jwt = encode_jwt(payload => {
-  aud => 'appid',
+  aud => 'something',
+  azp => 'appid',
   sub => 'someone',
   iss => 'https://example.com/auth/realms/apicast',
   exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });