lib-oauth2: Ensure aud field has client_id when set.

OpenID Connect 1.0 specification says that "aud" field must contain
OAuth 2.0 client_id of the Relying Party as an audience value.

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 56e8d00fffe672c5ad9682fdf015913063027af7..6631f21c7a3cc31fcfc71bdd92c27442ea95ed28 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -413,6 +413,21 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                }
        }
 
+       const char *aud = get_field(tree, "aud", NULL);
+       /* if there is client_id configured, then aud should be present */
+       if (set->client_id != NULL && *set->client_id != '\0') {
+               if (aud == NULL) {
+                       *error_r = "client_id set but aud is missing";
+                       return -1;
+
+               }
+               const char *const *auds = t_strsplit_spaces(aud, " ");
+               if (!str_array_find(auds, set->client_id)) {
+                       *error_r = "client_id not found in aud field";
+                       return -1;
+               }
+       }
+
        /* see if there is azp */
        const char *azp = get_field(tree, "azp");
        if (azp == NULL)