Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: id token verification performs client id check #1297

Merged
merged 6 commits into from
Nov 14, 2023
Merged

fix: id token verification performs client id check #1297

merged 6 commits into from
Nov 14, 2023

Conversation

davenewza
Copy link
Contributor

Client ID verification for ID token verification

An ID token will always have the OIDC server's client ID in the sub claim, and it is important that the ID token verification steps include checking the client ID. Otherwise it's possible that the ID token was obtained from another application and wasn't intended for this app.

Supports providers with the same issuer URL

It's possible for customers to configure multiple clients from the same issuer, so this PR also supports that now.

@davenewza davenewza requested a review from a team November 13, 2023 13:26
Base automatically changed from ke-1240-move-auth-config-to-keelconfig to main November 13, 2023 14:58
louisaspicer
louisaspicer reviewed Nov 14, 2023
View reviewed changes
runtime/oauth/id_token.go
verificationErrs = errors.Join(err, verificationErrs)
} else {
span.AddEvent("ID Token verified")
return idToken, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to verify all the providers?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's only testing against the providers which have the same issuer as the ID token:
providers, err := authConfig.GetOidcProvidersByIssuer(issuer)

@davenewza davenewza merged commit 269ff40 into main Nov 14, 2023
10 checks passed
@davenewza davenewza deleted the chore/oidc-client-id-check branch November 14, 2023 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@louisaspicer louisaspicer louisaspicer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davenewza @louisaspicer