search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Audience matching doesn't work as intended #673

Closed 4integration closed 7 months ago

4integration commented 7 months ago

Describe the bug Audience matching doesn't work as intended

This rule https://github.com/panva/node-openid-client/blob/219f956cb74986439f2d41fc3cfe6fd400c38eca/lib/client.js#L1006-L1011 only matches against client_id but if audience is specified on the client and IdP is configured with that it should validate OK with that also. If no specified audience then client_id is used as default.

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

Issuer.discover('http://localhost:48118/token/internal/anonymous/.well-known/openid-configuration')
  .then(criiptoIssuer => {
    var client = new criiptoIssuer.Client({
      client_id: '2fa-client-test',
      client_secret: '2fa-client-test',
      redirect_uris: ['http://localhost:3000/auth/callback'],
    });

    app.use(
      expressSesssion({
        secret: 'keyboard cat',
        resave: false,
        saveUninitialized: true
      })
    );

    app.use(passport.initialize());
    app.use(passport.session());

    passport.use('oidc', new Strategy({
      client,
      params: {
        scope: "openid groups profile",
        audience: "urn:myorg:camper",
      }
    }, (tokenSet, userinfo, done) => {
      return done(null, tokenSet.claims());
    })
    );
});

Getting this error: {"message":"Auth failed: aud mismatch, expected 2fa-client-test, got: urn:myorg:camper"}

Expected behaviour See description above

Environment:

panva commented 7 months ago

It works exactly as expected. audience is a proprietary parameter of some providers and if it affects the final shape of an ID Token I suggest you use the provider's SDKs to connect to them instead.