Fix IAP fallback

WISVCH · Jul 27, 2023 · 4933a50 · 4933a50
1 parent f401616
commit 4933a50
Showing 1 changed file with 6 additions and 8 deletions.
diff --git a/src/plugins/authiapconnect2/validate_jwt.php b/src/plugins/authiapconnect2/validate_jwt.php
@@ -84,20 +84,18 @@ function validate_jwt($iapJwt, $expectedAudience)
     ]);
 
     if (!$jwt) {
-        return print('Failed to validate JWT: Invalid JWT');
+        throw new Exception('Failed to validate JWT: Invalid JWT');
+    }
+
+    $expectedAudiences = explode(',', $expectedAudience);
+    if (!in_array($jwt['aud'], $expectedAudiences)) {
+        throw new Exception('Invalid audience');
     }
 
     // Validate token by checking issuer and audience fields.
     assert($jwt['iss'] == 'https://cloud.google.com/iap');
 
-    $expectedAudiences = explode(',', $expectedAudience);
     assert(in_array($jwt['aud'], $expectedAudiences));  
 
     return $jwt;
-    // print('Printing user identity information from ID token payload:');
-    // printf('sub: %s', $jwt['sub']);
-    // printf('email: %s', $jwt['email']);
-    // echo '<pre>';
-    // print_r($jwt);
-    // echo '</pre>';
 }