Improve token audience handling with JWT authentication

Description

Among other claims validators, the current default security configuration specifies an AudienceClaimsValidator. It verifies that the token used in JWT authentication has an audience (aud) claim pointing to the endpoint that is being called. This doesn’t seem to be fully in inline with the spec [1], see section 3, bullet 3:

The JWT MUST contain an "aud" (audience) claim containing a value that identifies the authorization server as an intended audience. The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT.

It feels that we should accept both OP’s issuer value and the token endpoint URL as audience by default.

[1]

Environment

None

Confluence content

mentioned on

Activity

Henri Mikkonen 
May 4, 2023 at 11:35 AM

Documented the new logic on (included in Token, Introspection and Revocation pages)

Henri Mikkonen 
April 14, 2023 at 6:08 AM

Refactored the existing AudienceClaimsValidator in commons so that it can be extended to deal with multiple accepted audiences. A new validator AuthenticationAudienceClaimsValidator extends it and provides means to accept issuer value (responder ID) and token endpoint URL in addition to the single accepted audience

OP now uses the new validator for validating audience claim in the JWT authentication by default. A custom bean can be wired via idp.oauth2.jwtAuth.audienceValidator -property. The default configuration accepts the use of issuer claim (via responder ID lookup), the flow endpoint URL and token endpoint URL in the token, introspection and revocation endpoints. The set of endpoints where to accept the token endpoint URL as audience may be configured via idp.oauth2.jwtAuth.audienceValidator.endpointTargets -property.

Completed

Details

Assignee

Reporter

Components

Fix versions

Created March 27, 2023 at 2:48 PM
Updated May 12, 2023 at 10:30 AM
Resolved May 4, 2023 at 11:35 AM