Merge pull request #240 from OvermindDL1/patch-1

bentranter · web-flow · commit f9c6649ab984 · 2018-09-18T22:44:29.000-04:00
Follow the OpenID Connect Audiences spec
diff --git a/providers/openidConnect/openidConnect.go b/providers/openidConnect/openidConnect.go
@@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
 	audience := getClaimValue(claims, []string{audienceClaim})
 	if audience != p.ClientKey {
-		return time.Time{}, errors.New("audience in token does not match client key")
+		found := false
+		audiences := getClaimValues(claims, []string{audienceClaim})
+		for _, aud := range audiences {
+			if aud == p.ClientKey {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return time.Time{}, errors.New("audience in token does not match client key")
+		}
 	}
 
 	issuer := getClaimValue(claims, []string{issuerClaim})
@@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string {
 	return ""
 }
 
+func getClaimValues(data map[string]interface{}, claims []string) []string {
+	var result []string
+
+	for _, claim := range claims {
+		if value, ok := data[claim]; ok {
+			if stringValues, ok := value.([]interface{}); ok {
+				for _, stringValue := range stringValues {
+					if s, ok := stringValue.(string); ok && len(s) > 0 {
+						result = append(result, s)
+					}
+				}
+			}
+		}
+	}
+
+	return result
+}
+
 // decodeJWT decodes a JSON Web Token into a simple map
 // http://openid.net/specs/draft-jones-json-web-token-07.html
 func decodeJWT(jwt string) (map[string]interface{}, error) {
