Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: OAuth2 iss claim verification in JWT/OIDC authenticators when used with metadata_endpoint #1660

Merged
merged 1 commit into from
Jul 25, 2024
Merged

fix: OAuth2 iss claim verification in JWT/OIDC authenticators when used with metadata_endpoint #1660

merged 1 commit into from
Jul 25, 2024

Conversation

dadrus
Copy link
Owner

@dadrus dadrus commented Jul 25, 2024

Related issue(s)

same as #1658 (but for the release branch, cherry pick from the referenced PR)

Checklist

  • I agree to follow this project's Code of Conduct.
  • I have read, and I am following this repository's Contributing Guidelines.
  • I have read the Security Policy.
  • I have referenced an issue describing the bug/feature request.
  • I have added tests that prove the correctness of my implementation.

Description

The verification of the claims is done using an Expectation object initially created from the jwt authenticator configuration. If the metadata_endpoint is used, a new Expectation object, based on the above said one, is created. The contents of that new object is a result of merging the properties from the initial object with data received from the OIDC discovery endpoint, where new data is only used in the resulting object if the old one didn't have them set. Unfortunately the implementation of the Merge() method, responsible for the creation of that new object was not idempotent. It updated the properties of the initial object during the merge. That way the subsequent Expectation objects had wrong values.

This PR changes the implementation of this method and actually all receivers of the Expectation struct to always work on a copy of the corresponding objects.

Additional Info

Most uses of the function are only called once, where the bug isn't triggered. However, this prevented the JWT issuer with dynamic Issuer URLs from working correctly because only the first issuer would be taken for eternity as described in the linked bug ticket.

@codecov Codecov
Copy link

codecov bot commented Jul 25, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.18%. Comparing base (522e151) to head (fed9072).

Additional details and impacted files 
@@             Coverage Diff             @@
##           release    #1660      +/-   ##
===========================================
- Coverage    89.25%   89.18%   -0.08%     
===========================================
  Files          270      270              
  Lines         8878     8876       -2     
===========================================
- Hits          7924     7916       -8     
- Misses         705      708       +3     
- Partials       249      252       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dadrus dadrus merged commit a9947f2 into release Jul 25, 2024
23 checks passed
@dadrus dadrus deleted the fix/oauth_issue branch July 25, 2024 17:36
@github-actions github-actions bot mentioned this pull request Jul 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dadrus