-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audience claim verification check with Bearer token #856
Comments
No, only the token expiration is checked: https://github.com/nextcloud/user_oidc/blob/main/lib/User/Validator/SelfEncodedValidator.php#L67-L71 There are many more checks done when obtaining a token during login: https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L444-L484 It is kind of intended. I mean, the goal is to let other services (using the same client from the same IdP) make API requests to NC. Why are you asking? Do you expect the validation to fail in this case? |
@julien-nc Any other services making request with the |
Is the audience supposed to always be the Oidc client ID? |
Hey @julien-nc, AFAIK Keycloak's token endpoint allows replacing one token for another. So, if OP has one access token with the OP client as audience it, then OP can request a new token with it to get another access token with the desired audience, the Nextcloud client. For that to work Keycloak's realm needs to have set policies that allow this. The Keycloak docs explain that. See Keycloak's docs (paragraph 7) on token exchange https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange If you think it from the other way around: if you don't have audience awareness during authorisation you could (mis)use the same token for requests in the other direction. Without an audience check any Keycloak access token from a client within the same realm will authorize in Nextcloud, even though it was originally given to a completely different client, e. g. some untrustworthy service that you would only give little permissions/scopes within Keycloak. |
Ok then I guess we can add audience check in the bearer token validation. This would be the same check as when getting the login token, we would check the audience is the Oidc client ID. |
@julien-nc Sounds great! Thank you! |
Description
I am currently in a situation where i have an
access_token
fornextcloud
which i got fromkeycloak
. Theuser_oidc
app allows a setting to make API request as bearer-auth using theaccess_token
. In theaccess_token
i have an audience claim for exampleanother-client
other thannextcloud
itself.for example:
In the above payload of the
access_token
the audience claim is"aud": "https://openproject.local"
which is notnextcloud
. And i am able to make API request with it.I have some question regarding it.
user_oidc
app check and verify the audience claim in theaccess_token
for API request?user_oidc
is missing to check the audience claim?The text was updated successfully, but these errors were encountered: