Handle when aud OIDC claim is an Array (#4584)

liamdiprose · dbkr · web-flow · commit 693bb22ba147 · 2024-12-16T11:38:34.000Z
* Handle when `aud` OIDC claim is an Array The `aud` claim of OIDC id_tokens [can be an array](https://github.com/authts/oidc-client-ts/blob/ce6d694639c58e6a1c80904efdac5eda82b82042/src/Claims.ts#L92) but the existing logic incorrectly assumes `aud` is always a string. This PR adds the necessary check. * Clarify `aud` OIDC claim check * Fix for prettier --------- Co-authored-by: David Baker <dbkr@users.noreply.github.com>
diff --git a/spec/unit/oidc/validate.spec.ts b/spec/unit/oidc/validate.spec.ts
@@ -170,6 +170,23 @@ describe("validateIdToken()", () => {
         expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
     });
 
+    it("should not throw when audience is an array that includes clientId", () => {
+        mocked(jwtDecode).mockReturnValue({
+            ...validDecodedIdToken,
+            aud: [clientId],
+        });
+        expect(() => validateIdToken(idToken, issuer, clientId, nonce)).not.toThrow();
+    });
+
+    it("should throw when audience is an array that does not include clientId", () => {
+        mocked(jwtDecode).mockReturnValue({
+            ...validDecodedIdToken,
+            aud: [`${clientId},uiop`, "asdf"],
+        });
+        expect(() => validateIdToken(idToken, issuer, clientId, nonce)).toThrow(new Error(OidcError.InvalidIdToken));
+        expect(logger.error).toHaveBeenCalledWith("Invalid ID token", new Error("Invalid audience"));
+    });
+
     it("should throw when nonce does not match", () => {
         mocked(jwtDecode).mockReturnValue({
             ...validDecodedIdToken,
diff --git a/src/oidc/validate.ts b/src/oidc/validate.ts
@@ -179,7 +179,8 @@ export const validateIdToken = (
          * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
          * EW: Don't accept tokens with other untrusted audiences
          * */
-        if (claims.aud !== clientId) {
+        const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
+        if (!sanitisedAuds.includes(clientId)) {
             throw new Error("Invalid audience");
         }
 

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,8 @@ export const validateIdToken = (`
`179`	`179`	`* The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.`
`180`	`180`	`* EW: Don't accept tokens with other untrusted audiences`
`181`	`181`	`* */`
`182`		`- if (claims.aud !== clientId) {`
	`182`	`+ const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;`
	`183`	`+ if (!sanitisedAuds.includes(clientId)) {`
`183`	`184`	`throw new Error("Invalid audience");`
`184`	`185`	`}`
`185`	`186`