Comments (4)
Maddeningly, the fix has nothing to do with the processing of token claims; I have no idea why that is the error I usually get, but sometimes the error is the more useful jwt.ErrInvalidAudience
:
square/go-jose/jwt: validation failed, invalid audience claim (aud)
Looking at the the JOSE source, which was the behavior prior to #176, it skips audience validation if there is no list of expected audiences. To match that behavior, the change would be:
--- a/validator/validator.go
+++ b/validator/validator.go
@@ -142,15 +142,17 @@
return jwt.ErrInvalidIssuer
}
- foundAudience := false
- for _, value := range expectedClaims.Audience {
- if actualClaims.Audience.Contains(value) {
- foundAudience = true
- break
+ if len(expectedClaims.Audience) != 0 {
+ foundAudience := false
+ for _, value := range expectedClaims.Audience {
+ if actualClaims.Audience.Contains(value) {
+ foundAudience = true
+ break
+ }
+ }
+ if !foundAudience {
+ return jwt.ErrInvalidAudience
}
- }
- if !foundAudience {
- return jwt.ErrInvalidAudience
}
if actualClaims.NotBefore != nil && expectedClaims.Time.Add(leeway).Before(actualClaims.NotBefore.Time()) {
But looking at #211, it seems as though perhaps we need to add audiences to our validation. We, it turns out, had custom validation configured like so:
return validator.New(
provider.KeyFunc,
validator.RS256,
cfg.Issuer,
// The included audience validator is validating that every audience provided is present on claims, but we need to allow
// any of the provided audiences so do that with a custom validator
[]string{},
validator.WithCustomClaims(func() validator.CustomClaims {
return NewOneOfAudienceClaimValidator(allowedAudiences)
}),
)
But perhaps we were misreading the source previously, cause looking at it now it looks like it is indeed validating any audience. Is that right?
from go-jwt-middleware.
Hey @theory 👋🏻 , apologies for the delay getting back here.
You're right in the belief that this is down to #176, that change made the middleware always attempt to validate the aud
claim in the JWT against the list of provided audiences even if none are provided. That change validates that one of the provided audiences matches so I think you should be good to replace your custom claims handler with just providing the audiences directly.
This change was then improved upon later in #183 to return an error during if the provided audience array is empty (rather than nil) but unfortunately hasn't been released so I'll look to get that released in the near future to hopefully make this error more intuitive.
from go-jwt-middleware.
Thanks! I've updated our code to remove our custom audience validation and all seems well now. Will be handy to have the improved error output. Not sure there's anything to be done if someone wants to replace the audience validation, though. Not that it's a good idea, mind.
from go-jwt-middleware.
Great to hear, and yeah as mentioned in #211 the audience validation is a requirement this library has based on its purpose so the previous behaviour was classified as a bug.
I'll close this issue out, but thanks again for filing!
from go-jwt-middleware.
Related Issues (20)
- Failed to get decoded token using Go fiber HOT 1
- provide a gin gonic example HOT 2
- Missing cookie causes CookieTokenExtractor to return error HOT 7
- Custom `ValidateWithLeeway` in #176 Introduced Breaking Changes to Token Validation HOT 3
- Allow middleware to be used in a gRPC environment HOT 7
- Cannot import internal oidc package HOT 1
- An error occured while validating JWT: jwt invalid: error getting the keys from the key func: could not get well known endpoints from url https:///.well-known/openid-configuration: Get "https:///.well-known/openid-configuration": http: no Host in request URL HOT 3
- Improve performance of JWKS Caching Provider HOT 4
- Support validate multiple issuers HOT 1
- Example for IRIS Framework
- Allow custom http Client to be used by the JWKS Provider HOT 2
- issue with token validator HOT 4
- Audience Check Should Not Be Mandatory HOT 4
- validationKeyGetter - can not use dgrijalva as form3tech-oss Keyfunc value in struct literal HOT 1
- issue with token validator
- go-jose v2 is deprecated, should be upgraded to v3 HOT 2
- Examples do not work. jwtmiddleware missing in v2.2.0 HOT 2
- Support for Gin HOT 2
- newVerifier() function - verificationKey type
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jwt-middleware.