fix(alcoholic_jwt): Support multiple values in jwt audience claim
Per https://tools.ietf.org/html/rfc7519#section-4.1.3, the audience claim can consist of either a single string or an array of strings. The latter currently causes an error due to the type of aud in PartialClaims. Message-Id: <87r1toex8n.fsf@riseup.net> Change-Id: I6e00791d0ba56cb1e3c029e1b8617c33000d2ab1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/946 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
This commit is contained in:
parent
8b58593193
commit
618e5540c2
1 changed files with 16 additions and 2 deletions
|
@ -356,11 +356,20 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> {
|
|||
}
|
||||
}
|
||||
|
||||
/// Internal helper enum for PartialClaims that supports single or
|
||||
/// multiple audiences
|
||||
#[derive(Deserialize)]
|
||||
#[serde(untagged)]
|
||||
enum Audience {
|
||||
Single(String),
|
||||
Multi(Vec<String>)
|
||||
}
|
||||
|
||||
/// Internal helper struct for claims that are relevant for claim
|
||||
/// validations.
|
||||
#[derive(Deserialize)]
|
||||
struct PartialClaims {
|
||||
aud: Option<String>,
|
||||
aud: Option<Audience>,
|
||||
iss: Option<String>,
|
||||
sub: Option<String>,
|
||||
exp: Option<u64>,
|
||||
|
@ -388,7 +397,12 @@ fn apply_validation(claims: &PartialClaims,
|
|||
Validation::Audience(aud) => {
|
||||
match claims.aud {
|
||||
None => Err("'aud' claim is missing"),
|
||||
Some(ref claim) => if *claim == aud {
|
||||
Some(Audience::Single(ref claim)) => if *claim == aud {
|
||||
Ok(())
|
||||
} else {
|
||||
Err("'aud' claim does not match")
|
||||
},
|
||||
Some(Audience::Multi(ref claims)) => if claims.contains(&aud) {
|
||||
Ok(())
|
||||
} else {
|
||||
Err("'aud' claim does not match")
|
||||
|
|
Loading…
Reference in a new issue