OpenID Connect is not parsing the JWT according to the spec, and thus is breaking #2300

Closed
opened 2025-11-02 04:31:45 -06:00 by GiteaMirror · 0 comments
Owner

Originally created by @OvermindDL1 on GitHub (Sep 6, 2018).

  • Gitea version (or commit ref): bd1bf2a (current master as of this post)
  • Git version: 2.7.4
  • Operating system: Ubuntu Server
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: N/A

Description

At this line of code:
bd1bf2a072/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go (L202)

	if audience != p.ClientKey {

It is performing a string comparison between audience and p.ClientKey, however, according to the OpenID Connect spec that that very source file links to just 3 lines higher states (emphasis mine):

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

And in fact an array is being passed in by some OpenID Connect servers, which is causing this to fail and be unusable.

The fix is fairly trivial conceptually, just need to perform a string comparison if aud is a string, else need to test if p.ClientKey is a member of the array of strings that is then in aud.

Originally created by @OvermindDL1 on GitHub (Sep 6, 2018). - Gitea version (or commit ref): bd1bf2a (current master as of this post) - Git version: 2.7.4 - Operating system: Ubuntu Server - Database (use `[x]`): - [X] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [X] Not relevant - Log gist: N/A ## Description At this line of code: https://github.com/go-gitea/gitea/blob/bd1bf2a0720b771cfe2fac3fef0fd9edd68f6317/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go#L202 ```go if audience != p.ClientKey { ``` It is performing a string comparison between `audience` and `p.ClientKey`, however, according to the OpenID Connect spec that that very source file links to just 3 lines higher states (emphasis mine): > The Client MUST validate that the `aud` (audience) Claim contains its `client_id` value registered at the Issuer identified by the `iss` (issuer) Claim as an audience. ***The `aud` (audience) Claim MAY contain an array with more than one element.*** The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client. And in fact an array is being passed in by some OpenID Connect servers, which is causing this to fail and be unusable. The fix is fairly trivial conceptually, just need to perform a string comparison if `aud` is a string, else need to test if `p.ClientKey` is a member of the array of strings that is then in `aud`.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2300