diff options
author | Caranatar <caranatar@riseup.net> | 2020-07-06T10·47-0400 |
---|---|---|
committer | tazjin <mail@tazj.in> | 2020-07-06T21·50+0000 |
commit | 618e5540c23da5b425dd4ca79951dbbe8f651925 (patch) | |
tree | 3a9c979b90d3534914a9d9c4a1f66174b6fe6097 /net/alcoholic_jwt | |
parent | 8b5859319347a0da80e9d7fd4dd1a7b5dec84e52 (diff) |
fix(alcoholic_jwt): Support multiple values in jwt audience claim r/1227
Per https://tools.ietf.org/html/rfc7519#section-4.1.3, the audience claim can consist of either a single string or an array of strings. The latter currently causes an error due to the type of aud in PartialClaims. Message-Id: <87r1toex8n.fsf@riseup.net> Change-Id: I6e00791d0ba56cb1e3c029e1b8617c33000d2ab1 Reviewed-on: https://cl.tvl.fyi/c/depot/+/946 Tested-by: BuildkiteCI Reviewed-by: lukegb <lukegb@tvl.fyi>
Diffstat (limited to 'net/alcoholic_jwt')
-rw-r--r-- | net/alcoholic_jwt/src/lib.rs | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/net/alcoholic_jwt/src/lib.rs b/net/alcoholic_jwt/src/lib.rs index c98bee61505d..4acd8d1e90db 100644 --- a/net/alcoholic_jwt/src/lib.rs +++ b/net/alcoholic_jwt/src/lib.rs @@ -356,11 +356,20 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> { } } +/// Internal helper enum for PartialClaims that supports single or +/// multiple audiences +#[derive(Deserialize)] +#[serde(untagged)] +enum Audience { + Single(String), + Multi(Vec<String>) +} + /// Internal helper struct for claims that are relevant for claim /// validations. #[derive(Deserialize)] struct PartialClaims { - aud: Option<String>, + aud: Option<Audience>, iss: Option<String>, sub: Option<String>, exp: Option<u64>, @@ -388,7 +397,12 @@ fn apply_validation(claims: &PartialClaims, Validation::Audience(aud) => { match claims.aud { None => Err("'aud' claim is missing"), - Some(ref claim) => if *claim == aud { + Some(Audience::Single(ref claim)) => if *claim == aud { + Ok(()) + } else { + Err("'aud' claim does not match") + }, + Some(Audience::Multi(ref claims)) => if claims.contains(&aud) { Ok(()) } else { Err("'aud' claim does not match") |