lib-oauth2: Ensure aud field has client_id when set.

OpenID Connect 1.0 specification says that "aud" field must contain
OAuth 2.0 client_id of the Relying Party as an audience value.

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 13036e9a1c3ad9a517e9b21a3ea75195b46fcbb3..0068dd3e960b37fa3a0805a300a1b7b12ae3a2db 100644 (file)
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -428,6 +428,21 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
                }
        }
 
+       const char *aud = get_field(tree, "aud", NULL);
+       /* if there is client_id configured, then aud should be present */
+       if (set->client_id != NULL && *set->client_id != '\0') {
+               if (aud == NULL) {
+                       *error_r = "client_id set but aud is missing";
+                       return -1;
+
+               }
+               const char *const *auds = t_strsplit_spaces(aud, " ");
+               if (!str_array_find(auds, set->client_id)) {
+                       *error_r = "client_id not found in aud field";
+                       return -1;
+               }
+       }
+
        /* see if there is azp */
        const char *azp = get_field(tree, "azp", NULL);
        if (azp == NULL)