Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

old github.com/coreos/go-oidc #514

Closed
SvenDowideit opened this issue Apr 3, 2020 · 4 comments
Closed

old github.com/coreos/go-oidc #514

SvenDowideit opened this issue Apr 3, 2020 · 4 comments

Comments

@SvenDowideit
Copy link

So I was having some issues with moving a slightly hacked keycloak v4.0.5 to v9.0.2, and one thing that is hitting me, is that the token aud != the clientid - but the azp does

which then lead me to realise that the github.com/coreos/go-oidc module has a v2, and they're talking about a v3 - and that the code we're using is from 2017

I have a small change to github.com/coreos/go-oidc that seems to get me further

So i'm wondering if there's any advice - should I fork the old go-oidc, and build with that for now, or is this something that's on the radar already, and updating to v2 won't be an issue, or ?
@SvenDowideit
Copy link
Author 

diff --git a/oidc/verification.go b/oidc/verification.go
index d9c6afa..2a9c9cc 100644
--- a/oidc/verification.go
+++ b/oidc/verification.go
@@ -78,9 +78,20 @@ func VerifyClaims(jwt jose.JWT, issuer, clientID string) error {
        // It MAY also contain identifiers for other audiences. In the general case, the aud
        // value is an array of case sensitive strings. In the common special case when there
        // is one audience, the aud value MAY be a single case sensitive string.
+       // OPTIONAL. Authorized party - the party to which the ID Token was issued. If present,
+       // it MUST contain the OAuth 2.0 Client ID of this party.
+       // This Claim is only needed when the ID Token has a single audience value and that
+       // audience is different than the authorized party.
+       // It MAY be included even when the authorized party is the same as the sole audience...
        if aud, ok, err := claims.StringClaim("aud"); err == nil && ok {
                if aud != clientID {
-                       return fmt.Errorf("invalid claims, 'aud' claim and 'client_id' do not match, aud=%s, client_id=%s", aud, clientID)
+                       if azp, ok, err := claims.StringClaim("azp"); err == nil && ok {
+                               if azp != clientID {
+                                       return fmt.Errorf("invalid claims, 'aud' and 'azp' claim and 'client_id' do not match, aud=%s, azp=%s, client_id=%s", aud, azp, clientID)
+                               }
+                       } else {
+                               return fmt.Errorf("invalid claims, 'aud' claim and 'client_id' do not match, aud=%s, client_id=%s", aud, clientID)
+                       }
                }
        } else if aud, ok, err := claims.StringsClaim("aud"); err == nil && ok {
                if !containsString(clientID, aud) {

@SvenDowideit SvenDowideit mentioned this issue Apr 3, 2020
Closed
@jangaraj
Copy link
Contributor

jangaraj commented Apr 3, 2020

There is "standard" workaround to configure mapper, which will generate correct aud in the Keycloak - https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match

Migration to v2 will take a time, but it is on the radar - #407 (comment)

@SvenDowideit
Copy link
Author

the workaround configuration works, thanks :)

Lets me get to the next failure i need to work through - figuring how best to hack in x-forward generation of redirect_uri :D

@abstractj
Copy link

Hi @SvenDowideit I'm closing it because it will be superseded by #517. Please, add any comments there if you find more issues with go-oidc.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abstractj @SvenDowideit @jangaraj