From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 8 May 2023 05:21:43 +0000 (+0300)
Subject: lib-oauth2: Ensure aud field has client_id when set.
X-Git-Tag: 2.3.21~24
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=63e0c9ede4763f89b3a169eb8350e892fc7554b7;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Ensure aud field has client_id when set.

OpenID Connect 1.0 specification says that "aud" field must contain
OAuth 2.0 client_id of the Relying Party as an audience value.
---

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 56e8d00fff..6631f21c7a 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -413,6 +413,21 @@ oauth2_jwt_body_process(const struct oauth2_settings *set, const char *alg,
 		}
 	}
 
+	const char *aud = get_field(tree, "aud", NULL);
+	/* if there is client_id configured, then aud should be present */
+	if (set->client_id != NULL && *set->client_id != '\0') {
+		if (aud == NULL) {
+			*error_r = "client_id set but aud is missing";
+			return -1;
+
+		}
+		const char *const *auds = t_strsplit_spaces(aud, " ");
+		if (!str_array_find(auds, set->client_id)) {
+			*error_r = "client_id not found in aud field";
+			return -1;
+		}
+	}
+
 	/* see if there is azp */
 	const char *azp = get_field(tree, "azp");
 	if (azp == NULL)