Handle when aud OIDC claim is an Array (#4584)

* Handle when `aud` OIDC claim is an Array The `aud` claim of OIDC id_tokens [can be an array](https://github.com/authts/oidc-client-ts/blob/ce6d694639c58e6a1c80904efdac5eda82b82042/src/Claims.ts#L92) but the existing logic incorrectly assumes `aud` is always a string. This PR adds the necessary check. * Clarify `aud` OIDC claim check * Fix for prettier --------- Co-authored-by: David Baker <[email protected]>
matrix-org · Dec 16, 2024 · 693bb22 · 693bb22
1 parent 315e81b
commit 693bb22
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts
@@ -170,6 +170,23 @@ describe("validateIdToken()", () => {
         expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
     });
 
+    it("should not throw when audience is an array that includes clientId", () => {
+        mocked(jwtDecode).mockReturnValue({
+            ...validDecodedIdToken,
+            aud: [clientId],
+        });
+        expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow();
+    });
+
+    it("should throw when audience is an array that does not include clientId", () => {
+        mocked(jwtDecode).mockReturnValue({
+            ...validDecodedIdToken,
+            aud: [`${clientId},uiop`, "asdf"],
+        });
+        expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken));
+        expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
+    });
+
     it("should throw when nonce does not match", () => {
         mocked(jwtDecode).mockReturnValue({
             ...validDecodedIdToken,

diff --git a/src/oidc/validate.ts b/src/oidc/validate.ts
@@ -179,7 +179,8 @@ export const validateIdToken = (
          * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
          * EW: Don't accept tokens with other untrusted audiences
          * */
-        if (claims.aud !== clientId) {
+        const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
+        if (!sanitisedAuds.includes(clientId)) {
             throw new Error("Invalid audience");
         }