Fix security issue with aud validation

dgrijalva / jwt-go

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:

https://github.com/golang-jwt/jwt

MIT License

10.78k stars 994 forks source link

Fix security issue with aud validation #429

Closed Waterdrips closed 3 years ago

Waterdrips commented 4 years ago

Aud validation on the JWT was being bypassed if a list of claims was presented to the server. This commit checks if the aud claim is a list of strings, if not it checks if its a single string, if not it will return invalid

This fixes #422 #428

Signed-off-by: Alistair Hey alistair.hey@form3.tech

wpsmith commented 4 years ago

@dgrijalva can we get this merged? This is a vital security patch IMHO.

lggomez commented 4 years ago

Due to https://github.com/golang/go/issues/33908 it is not possible to perform go get on a PR so its either:

Waiting for @dgrijalva to merge this
Copypasting the entire fixed MapClaims from this package into your project and use it instead of jwtgo.MapClaims (and changing if vErr.valid() to if vErr.Errors == 0 to make it work)
Using @Waterdrips' fork of the package

ripienaar commented 4 years ago

For those following this PR please look at https://github.com/dgrijalva/jwt-go/issues/428 where we are trying to get things back to a maintained state

mitar commented 3 years ago

This has already been done in https://github.com/dgrijalva/jwt-go/pull/286 I think.

Waterdrips commented 3 years ago

applied the same patch as https://github.com/golang-jwt/jwt/pull/12 as per https://github.com/dgrijalva/jwt-go/issues/462#issuecomment-877353751

azr commented 3 years ago

Hello there, do we know when/if this will be released. Thanks for the fix !

ripienaar commented 3 years ago

Hello there, do we know when/if this will be released. Thanks for the fix !

Please see repo golang-jwt/jwt where this project continues