From 9c0d8e8891e2b973073f2dd946a115b3225ddcdb Mon Sep 17 00:00:00 2001 From: Liam Diprose Date: Wed, 11 Dec 2024 15:40:29 +1300 Subject: [PATCH] Handle when `aud` OIDC claim is an Array The `aud` claim of OIDC id_tokens [can be an array](https://github.com/authts/oidc-client-ts/blob/ce6d694639c58e6a1c80904efdac5eda82b82042/src/Claims.ts#L92) but the existing logic incorrectly assumes `aud` is always a string. This PR adds the necessary check. --- spec/unit/oidc/validate.spec.ts | 8 ++++++++ src/oidc/validate.ts | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts index c9207e28fa4..ca0f415f0ee 100644 --- a/spec/unit/oidc/validate.spec.ts +++ b/spec/unit/oidc/validate.spec.ts @@ -170,6 +170,14 @@ describe("validateIdToken()", () => { expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience")); }); + it("should not throw for a list of trusted audiences", () => { + mocked(jwtDecode).mockReturnValue({ + ...validDecodedIdToken, + aud: [clientId], + }); + expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow(); + }); + it("should throw when nonce does not match", () => { mocked(jwtDecode).mockReturnValue({ ...validDecodedIdToken, diff --git a/src/oidc/validate.ts b/src/oidc/validate.ts index 72eb7e96e64..1defc7a31bf 100644 --- a/src/oidc/validate.ts +++ b/src/oidc/validate.ts @@ -179,7 +179,7 @@ export const validateIdToken = ( * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client. * EW: Don't accept tokens with other untrusted audiences * */ - if (claims.aud !== clientId) { + if (claims.aud !== clientId && !(Array.isArray(claims.aud) && claims.aud.includes(clientId))) { throw new Error("Invalid audience"); }