Validating token intended for another audience

[1player]

I am working on an HTTP proxy, and among its responsibilities it needs to pass through an access token to the upstream server. Before doing so, I want to make sure the access token is valid and not expired.

Using Oidcc.Token.validate_jwt/3, validation does not pass because that function requires the token to include the client's ID in the audience field:

iex(4)> Oidcc.Token.validate_jwt(token, client_context, %{
  signing_algs: client_context.provider_configuration.token_endpoint_auth_signing_alg_values_supported, 
  trusted_audiences: ["upstream"]
})
{:error,
 {:missing_claim, {"aud", "proxy"}, %{
    "aud" => ["upstream", "account"],
    "sub" => "cb780dfc-8c40-451b-b10f-be623c8975d6",
    ...
}}}

Oidcc.Token.validate_jwt/3 has a convenient trusted_audiences option that does not behave how I expect. I want to either bypass audience check, or to indicate what is the audience I expect to find in the token. Yet, this is impossible to achieve because validation passes either iff:

• The trusted_audiences option passed to validate_jwt/3 is any (the default), AND the token's audience list includes the client's (

  oidcc/src/oidcc_token.erl

  Lines 1137 to 1141 in 697c37c

  	verify_aud_claim(#{<<"aud">> := Audience} = Claims, ClientId, any) when is_list(Audience) ->
  	case lists:member(ClientId, Audience) of
  	true -> ok;
  	false -> {error, {missing_claim, {<<"aud">>, ClientId}, Claims}}
  	end;

  )
• The trusted_audiences options is a list which necessarily has to include the client's audience: (

  oidcc/src/oidcc_token.erl

  Line 1147 in 697c37c

  true ?= lists:member(ClientId, Audience),

  )

So in all cases, the token needs to contain the client's audience to pass validation.

What is the point of the trusted_audiences option then? How do I bypass, or customize the list of valid audiences when validating a token?

[1player]

By the way, the documentation of validate_jwt/3 states the following: "aud claim must match the trusted_audiences option."

I figure this is a bug, as validation passes only if aud contains the client_id. To maintain compatibility, I would suggest that:

• rename the default value of the trusted_audiences option to :client_id, which is the current behaviour
• when trusted_audiences is a list, pass if the token's audience is a member of this list
• when trusted_audiences is :all, skip audience validation, except maybe to ensure that the token includes an aud claim at all.

[maennchen]

trusted_audiences is for something different:

https://openid.net/specs/openid-connect-core-1_0.html

3.1.3.7. ID Token Validation
Clients MUST validate the ID Token in the Token Response in the following manner:
[...]
3. The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

According to this spec, we have to validate that aud does not contain untrusted values besides our own expected audience.

We always check that aud contains the client id from the client context. In your case, you'll need a different client context per client id at the moment. The record (Erlang) or (Struct) is public, just override the client id to what you would like to check.

[1player]

Thank you for clarifying.