Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: jwt validation correctly compares the aud with both app id and auth origin #147

Merged
merged 3 commits into from
Dec 20, 2024
Merged

fix: jwt validation correctly compares the aud with both app id and auth origin #147

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c86e409
fix: addresses an issue where auth_origin was being set to nil accide…
ctran88 Dec 20, 2024
d88248c
feat: removes auth origin from being checked in the jwt audience vali…
ctran88 Dec 20, 2024
149e9a1
refactor: remove unnecessary array wrapper
ctran88 Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions lib/passageidentity/auth.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,15 +76,13 @@ def validate_jwt(token)
)
end

audiences = [@auth_origin, @app_id]

claims =
JWT.decode(
token,
nil,
true,
{
aud: audiences,
aud: [@app_id],
ctran88 marked this conversation as resolved.
Show resolved Hide resolved
verify_aud: true,
algorithms: ['RS256'],
jwks: @jwks
Expand Down Expand Up @@ -162,7 +160,7 @@ def fetch_jwks
app_cache = get_cache(@app_id)

if app_cache
@jwks, @auth_origin = app_cache
@jwks = app_cache
else
auth_gw_connection =
Faraday.new(url: 'https://auth.passage.id') do |f|
Expand All @@ -172,10 +170,6 @@ def fetch_jwks
f.adapter :net_http
end

# fetch the public key if not in cache
app = fetch_app

@auth_origin = app.auth_origin
response =
auth_gw_connection.get("/v1/apps/#{@app_id}/.well-known/jwks.json")

Expand Down
Loading