fix(authentication): jwt assertions audience too strict

[james-d-elliott]

This fixes an issue where all JWT assertions are strictly checked against the Token URL. RFC7523 Section 3 states that the JWT must contain an 'aud' claim that identifies the authorization server and that the token endpoint URL may be used, not that it must be used. RFC9126 clarifies this that it should be the issuer value, and that both the token endpoint URL and pushed authorization request endpoint URL must also be accepted. This fix facilitate this.

[coderabbitai]

Walkthrough

The changes across the codebase involve a transition from using a single TokenURL for JWT validation to implementing a more flexible approach with AllowedJWTAssertionAudiences. This new structure allows for multiple acceptable audience values for JWT assertions, enhancing audience validation and improving the overall security framework for client authentication.

Changes

Files	Change Summary
client_authentication_strategy.go	Updated DefaultClientAuthenticationStrategy to replace TokenURLProvider with AllowedJWTAssertionAudiencesProvider. Added audience validation logic in JWT authentication methods.
client_authentication_test.go	Enhanced error handling in TestAuthenticateClient. Updated configuration to include AllowedJWTAssertionAudiences, replacing TokenURL.
config.go	Introduced AllowedJWTAssertionAudiencesProvider interface for specifying allowed audiences for JWT assertions.
config_default.go	Modified Config struct to remove TokenURL and include AllowedJWTAssertionAudiences. Updated related methods accordingly.
fosite.go	Changed Configurator interface to use AllowedJWTAssertionAudiencesProvider instead of TokenURLProvider.
handler/rfc7523/handler.go	Replaced oauth2.TokenURLProvider with oauth2.AllowedJWTAssertionAudiencesProvider in the Config interface. Enhanced audience validation logic in validateTokenClaims method.
handler/rfc7523/handler_test.go	Updated oauth2.Config structure to replace TokenURL with AllowedJWTAssertionAudiences. Adjusted test assertions to reflect the new audience validation logic.
integration/authorize_jwt_bearer_required_iat_test.go	Replaced TokenURL with AllowedJWTAssertionAudiences in TestAuthorizeJWTBearerRequiredIATSuite.
integration/authorize_jwt_bearer_required_jti_test.go	Updated TestAuthorizeJWTBearerRequiredJtiSuite to use AllowedJWTAssertionAudiences instead of TokenURL.
integration/authorize_jwt_bearer_test.go	Changed TokenURL to AllowedJWTAssertionAudiences in TestAuthorizeJWTBearerSuite.
integration/introspect_jwt_bearer_token_test.go	Replaced TokenURL with AllowedJWTAssertionAudiences in TestIntrospectJWTBearerTokenSuite.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between acbadb6 and 717008c.

Files selected for processing (11)

• client_authentication_strategy.go (3 hunks)
• client_authentication_test.go (3 hunks)
• config.go (1 hunks)
• config_default.go (3 hunks)
• fosite.go (1 hunks)
• handler/rfc7523/handler.go (3 hunks)
• handler/rfc7523/handler_test.go (4 hunks)
• integration/authorize_jwt_bearer_required_iat_test.go (1 hunks)
• integration/authorize_jwt_bearer_required_jti_test.go (1 hunks)
• integration/authorize_jwt_bearer_test.go (1 hunks)
• integration/introspect_jwt_bearer_token_test.go (1 hunks)

Additional comments not posted (21)

integration/authorize_jwt_bearer_required_jti_test.go (1)

92-92: LGTM! The change enhances the flexibility and security of the audience validation mechanism.

The replacement of TokenURL with AllowedJWTAssertionAudiences allows for multiple acceptable audience values for JWT assertions. This change improves the flexibility and security of the audience validation mechanism.

Please verify the impact of this change on downstream functionality that relies on the audience validation mechanism. Consider running integration tests or manually testing relevant scenarios to ensure the expected behavior.

integration/authorize_jwt_bearer_required_iat_test.go (1)

93-93: LGTM! The change enhances the flexibility of the audience validation mechanism.

The replacement of TokenURL with AllowedJWTAssertionAudiences allows for multiple acceptable audience values for JWT assertions. This change improves the flexibility of the audience validation mechanism.

Please verify the impact of this change on the validation logic related to JWT processing. Consider running integration tests or manually testing relevant scenarios to ensure the expected behavior.

fosite.go (1)

187-187: LGTM! The change aligns with the modifications made in the test files.

The replacement of TokenURLProvider with AllowedJWTAssertionAudiencesProvider in the Configurator interface aligns with the changes made in the test files. This change indicates a shift in the responsibilities of the interface to handle allowed audiences for JWT assertions instead of providing a token URL.

Please verify the impact of this change on components that implement or interact with the Configurator interface. Consider running integration tests or manually testing relevant scenarios to ensure the expected behavior.

integration/introspect_jwt_bearer_token_test.go (1)

236-236: LGTM! The change aligns with the new audience validation approach.

The modification replaces the TokenURL field with AllowedJWTAssertionAudiences, initialized with a slice containing tokenURL. This change indicates a shift towards validating JWT assertions against allowed audiences, rather than a single token URL.

handler/rfc7523/handler.go (2)

26-26: LGTM! The change in the Config interface aligns with the new audience validation approach.

The Config interface now includes oauth2.AllowedJWTAssertionAudiencesProvider instead of oauth2.TokenURLProvider, which aligns with the shift towards validating JWT assertions against allowed audiences.

---

Line range hint 234-268: LGTM! The changes in the validateTokenClaims method improve audience validation and error handling.

The modifications in the validateTokenClaims method include:

• Retrieving the allowed JWT assertion audiences from the configuration.
• Returning an error if no audiences are configured, indicating that the JWT cannot be validated.
• Iterating through the audience claims and comparing them against the allowed audiences using a constant-time comparison.

These changes enhance error handling by providing clearer feedback when the server is not set up to accept JWT assertions. The audience validation logic has been improved to ensure that the JWT assertion contains at least one of the allowed audience values, preventing timing attacks.

integration/authorize_jwt_bearer_test.go (1)

415-415: LGTM! The change aligns with the new audience validation approach.

The modification replaces the TokenURL field in the configuration structure with AllowedJWTAssertionAudiences, initialized with a slice containing tokenURL. This change indicates a shift towards validating JWT assertions against allowed audiences, rather than a single token URL, which may impact how the authorization logic is tested.

config.go (2)

305-305: LGTM!

The new interface AllowedJWTAssertionAudiencesProvider is a good addition to enhance the functionality related to JWT validation by allowing contexts to specify which audiences are acceptable when validating requests.

---

306-307: LGTM!

The new method GetAllowedJWTAssertionAudiences aligns with the purpose of the new interface AllowedJWTAssertionAudiencesProvider.

client_authentication_strategy.go (5)

25-25: LGTM!

The change in the Config interface to include AllowedJWTAssertionAudiencesProvider instead of TokenURLProvider is a good shift in focus towards audience validation for JWT assertions.

---

280-280: LGTM!

The changes in the doAuthenticateAssertionParseAssertionJWTBearer method to prioritize audience validation and return an error if the audience list is empty enhance the security of the authentication process by ensuring that only assertions with valid audiences are accepted.

Also applies to: 282-283, 288-288

---

331-363: LGTM!

The new method doAuthenticateAssertionJWTBearerClaimAudience enhances the security of the authentication process by ensuring that only assertions with valid audiences are accepted. It iterates through the claims' audience and checks against the provided audience list, returning an error if no valid match is found.

---

323-326: LGTM!

Calling the new doAuthenticateAssertionJWTBearerClaimAudience method in the doAuthenticateAssertionParseAssertionJWTBearer method to verify the audience claim aligns with the purpose of the new method and enhances the security of the authentication process.

---

331-331: LGTM!

The addition of the new method doAuthenticateAssertionJWTBearerClaimAudience to the DefaultClientAuthenticationStrategy struct aligns with the purpose of the struct and enhances its functionality.

config_default.go (3)

98-101: LGTM!

The change in the Config struct to replace the TokenURL field with AllowedJWTAssertionAudiences reflects a shift from a single token URL to a more flexible configuration that accommodates multiple audiences for JWT assertions, enhancing the security and compatibility of the authorization server with various client authentication methods.

---

280-281: LGTM!

The change in the GetAllowedJWTAssertionAudiences method to return the new AllowedJWTAssertionAudiences field instead of the deprecated TokenURL indicates a broader adjustment in the API, aligning it with the new configuration structure.

---

655-655: LGTM!

The change in the type assertion in the variable declarations at the end of the file to reflect the new provider for the allowed JWT assertion audiences, replacing the previous TokenURLProvider with AllowedJWTAssertionAudiencesProvider, aligns with the new configuration structure and interface changes.

handler/rfc7523/handler_test.go (2)

78-78: LGTM!

The changes to the oauth2.Config structure and the corresponding updates to the test assertions align with the transition from using a single TokenURL for JWT validation to implementing a more flexible approach with AllowedJWTAssertionAudiences. This enhances audience validation and improves the overall security framework for client authentication.

Also applies to: 337-339

---

855-858: LGTM!

The changes to the oauth2.Config structure align with the transition from using a single TokenURL for JWT validation to implementing a more flexible approach with AllowedJWTAssertionAudiences. This enhances audience validation and improves the overall security framework for client authentication.

client_authentication_test.go (2)

700-702: LGTM!

The changes to the Config struct, including the addition of the AllowedJWTAssertionAudiences field and the removal of the TokenURL field, indicate a shift towards stricter validation of JWT assertions by explicitly defining acceptable audiences. This improves security and compliance with authentication standards.

---

574-576: LGTM!

The expanded error message associated with the expectErr field provides more detailed information regarding potential issues with the client_assertion value, specifying various reasons for failure, including integrity verification issues, usage timing constraints, and validation of the 'aud' claim against expected values. This enhances the clarity of error reporting, making it easier for developers to diagnose authentication failures.