From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 8 May 2023 05:21:43 +0000 (+0300)
Subject: lib-oauth2: Ensure aud field has client_id when set.
X-Git-Tag: 2.4.0~2769
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2dc2f0fca2a9fc15d94281993dba6ccaf62e4b5;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Ensure aud field has client_id when set.

OpenID Connect 1.0 specification says that "aud" field must contain
OAuth 2.0 client_id of the Relying Party as an audience value.
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 13036e9a1c..0068dd3e96 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -428,6 +428,21 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
 		}
 	}
 
+	const char *aud = get_field(tree, "aud", NULL);
+	/* if there is client_id configured, then aud should be present */
+	if (set->client_id != NULL && *set->client_id != '\0') {
+		if (aud == NULL) {
+			*error_r = "client_id set but aud is missing";
+			return -1;
+
+		}
+		const char *const *auds = t_strsplit_spaces(aud, " ");
+		if (!str_array_find(auds, set->client_id)) {
+			*error_r = "client_id not found in aud field";
+			return -1;
+		}
+	}
+
 	/* see if there is azp */
 	const char *azp = get_field(tree, "azp", NULL);
 	if (azp == NULL)