Handle when aud OIDC claim is an Array

The `aud` claim of OIDC id_tokens [can be an array](https://github.com/authts/oidc-client-ts/blob/ce6d694639c58e6a1c80904efdac5eda82b82042/src/Claims.ts#L92) but the existing logic incorrectly assumes `aud` is always a string. This PR adds the necessary check.
matrix-org · Dec 11, 2024 · 9c0d8e8 · 9c0d8e8
1 parent 8155b0a
commit 9c0d8e8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts
@@ -170,6 +170,14 @@ describe("validateIdToken()", () => {
         expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
     });
 
+    it("should not throw for a list of trusted audiences", () => {
+        mocked(jwtDecode).mockReturnValue({
+            ...validDecodedIdToken,
+            aud: [clientId],
+        });
+        expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow();
+    });
+
     it("should throw when nonce does not match", () => {
         mocked(jwtDecode).mockReturnValue({
             ...validDecodedIdToken,

diff --git a/src/oidc/validate.ts b/src/oidc/validate.ts
@@ -179,7 +179,7 @@ export const validateIdToken = (
          * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
          * EW: Don't accept tokens with other untrusted audiences
          * */
-        if (claims.aud !== clientId) {
+        if (claims.aud !== clientId && !(Array.isArray(claims.aud) && claims.aud.includes(clientId))) {
             throw new Error("Invalid audience");
         }