From 1010a882dbfab2abaacf035759738b4305a942d0 Mon Sep 17 00:00:00 2001 From: OvermindDL1 Date: Wed, 5 Sep 2018 23:23:44 -0600 Subject: [PATCH 1/2] Fix #4877 to follow the OpenID Connect Audiences spec This follows the OpenID Connect spec to support audiences with either a string or an array of strings instead of just a string. Signed-off-by: Gabriel Robertson --- .../providers/openidConnect/openidConnect.go | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go index 44419ba15f60..a4ff1d40ff26 100644 --- a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go +++ b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go @@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) { func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) { audience := getClaimValue(claims, []string{audienceClaim}) if audience != p.ClientKey { - return time.Time{}, errors.New("audience in token does not match client key") + found := false + audiences := getClaimValues(claims, []string{audienceClaim}) + for _, aud := range audiences { + if aud == p.ClientKey { + found = true + break + } + } + if !found { + return time.Time{}, errors.New("audience in token does not match client key") + } } issuer := getClaimValue(claims, []string{issuerClaim}) @@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string { return "" } +func getClaimValues(data map[string]interface{}, claims []string) []string { + var result []string + + for _, claim := range claims { + if value, ok := data[claim]; ok { + if stringValues, ok := value.([]interface{}); ok { + for _, stringValue := range stringValues { + if s, ok := stringValue.(string); ok && len(s) > 0 { + result = append(result, s) + } + } + } + } + } + + return result +} + // decodeJWT decodes a JSON Web Token into a simple map // http://openid.net/specs/draft-jones-json-web-token-07.html func decodeJWT(jwt string) (map[string]interface{}, error) { From 6db8b267c42d00d7dc616a5c718205aba18b175f Mon Sep 17 00:00:00 2001 From: Lauris BH Date: Thu, 20 Sep 2018 07:45:53 +0300 Subject: [PATCH 2/2] Update goth dependency --- Gopkg.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Gopkg.lock b/Gopkg.lock index 04c7d18334ae..056d8fd6f77b 100644 --- a/Gopkg.lock +++ b/Gopkg.lock @@ -3,11 +3,11 @@ [[projects]] branch = "master" - digest = "1:42f77a668e3bd06812ef254f334d0d0a62346969fbcd3fa3a613e75067343751" + digest = "1:835585f8450b4ec12252d032b0f13e6571ecf846e49076f69067f2503a7c1e07" name = "code.gitea.io/git" packages = ["."] pruneopts = "NUT" - revision = "31f4b8e8c805438ac6d8914b38accb1d8aaf695e" + revision = "6ef79e80b3b06ca13a1f3a7b940903ebc73b44cb" [[projects]] branch = "master" @@ -547,7 +547,7 @@ revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf" [[projects]] - digest = "1:fb22af9d8c1a6166ad299705648db460ba2c28a830f7f6cdd830019d7c3fd96f" + digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f" name = "github.com/markbates/goth" packages = [ ".", @@ -562,8 +562,8 @@ "providers/twitter", ] pruneopts = "NUT" - revision = "4933f155d89c3c52ab4ca545c6602cf4a1e87913" - version = "1.45.5" + revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3" + version = "v1.46.1" [[projects]] digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3"