"aud" claim validation in ID tokens is too tight

[lufik]

I have a problem with too tight claim "aud" validation.

RFC: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
says there could be multiple values StringOrURL (that's correct in my case) and I received there also URL.
That's problem since:

commit 488dadf9c397369c371abe2851c8d5fc67a34e5e
Date:   Tue Jun 4 04:23:28 2024 -0700

src/proto/id_token.c:

  if (json_array_size(aud) > 1) {
                                oidc_error(
                                    r,
                                    "our configured client_id (%s) was found in the array of values "
                                    "for \"%s\" claim, but there are other unknown/untrusted values included as well",
                                    oidc_cfg_provider_client_id_get(provider), OIDC_CLAIM_AUD);
                                return FALSE;
                        }

There is hard validation added which tests only 1 entry in aud array. I see no config option to tune this.

I would like to ask if this is something must have (I have no possibility to affect our oauth server part) or can it be somehow configurable (enable/disable this validation, configure how many entries are ok, what values - e.g. regexp - should be there, ...).

[tydalforce]

This is so weird, I think I just posted the same problem at nearly the exact same time - #1273

[lufik]

Good to hear we're not alone on the Earth. I'm sure we have the same issue (and we were both searching for similar issue with no luck prior to place the question here).

[zandbelt]

what Identity Provider software are you using? the "aud" validation was tightened up since 2.4.16 to match what is in the spec https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation and to be able to pass the associated conformance test https://www.certification.openid.net/log-detail.html?log=4CZRVc9jcxew0hz

[lufik]

I do not know what is used as Provider software unfortunately. I'm just consumer.
I see more entries in aud for example here: https://auth0.com/docs/secure/tokens

Do I understand correctly that mod_auth_openidc do not trust any other audiences including Issuer Identifier URL?
Is it possible to support Issuer Identifier URL in audience as I see this allowed in every docs you mentioned.

[zandbelt]

I agree that it makes sense to make the aud validation more flexible and make it backwards compatible by default; we will work on a proper solution and report back

[zandbelt]

see a14ed22 which will be included in the upcoming 2.4.16.5 release

[tydalforce]

Downloaded the updated code and tried it out - I'm pleased to report that it worked fine for me! Appreciate the quick turnaround on this; looking forward to trying the official release. Thanks!

[zandbelt]

backwards compatibility is now provided as of release 2.4.16.5: https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.5