all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH proxmox/proxmox-openid] fix #5076: Added extra audience verification checks.
@ 2025-02-06 12:01 Alexander Abraham
  2025-02-17  8:54 ` Dominik Csapak
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Abraham @ 2025-02-06 12:01 UTC (permalink / raw)
  To: pve-devel; +Cc: Alexander Abraham

Two things were added to the proxmox-openid crate to fix
bug #5076: i) the function to require strict audience checking
was called and ii) an extra verifier function was added to check
if the configured audiences match the receieved audiences.

Signed-off-by: Alexander Abraham <a.abraham@proxmox.com>
---
 proxmox-openid/src/lib.rs | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index fe65fded..396f55cd 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -1,10 +1,9 @@
 #![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
 
-use std::path::Path;
-
 use anyhow::{format_err, Error};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
+use std::path::Path;
 
 mod http_client;
 pub use http_client::http_client;
@@ -53,6 +52,8 @@ pub struct OpenIdConfig {
     pub prompt: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub acr_values: Option<Vec<String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<Vec<String>>,
 }
 
 pub struct OpenIdAuthenticator {
@@ -204,21 +205,32 @@ impl OpenIdAuthenticator {
             .set_pkce_verifier(private_auth_state.pkce_verifier())
             .request(http_client)
             .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
-
-        let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
         let id_token_claims: &CoreIdTokenClaims = token_response
             .extra_fields()
             .id_token()
             .expect("Server did not return an ID token")
-            .claims(&id_token_verifier, &private_auth_state.nonce)
+            .claims(
+                &((self.client.id_token_verifier() as CoreIdTokenVerifier)
+                    .require_audience_match(true)
+                    .set_other_audience_verifier_fn(|aud| {
+                        let curr_aud: &String = &**aud;
+                        if &self.config.client_id == curr_aud {
+                            true
+                        } else {
+                            match self.config.aud.as_ref() {
+                                Some(confd_auds) => confd_auds.contains(curr_aud),
+                                None => false,
+                            }
+                        }
+                    })),
+                &private_auth_state.nonce,
+            )
             .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
-
         let userinfo_claims: GenericUserInfoClaims = self
             .client
             .user_info(token_response.access_token().to_owned(), None)?
             .request(http_client)
             .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?;
-
         Ok((id_token_claims.clone(), userinfo_claims))
     }
 
@@ -230,9 +242,7 @@ impl OpenIdAuthenticator {
     ) -> Result<Value, Error> {
         let (id_token_claims, userinfo_claims) =
             self.verify_authorization_code(code, private_auth_state)?;
-
         let mut data = serde_json::to_value(id_token_claims)?;
-
         let data2 = serde_json::to_value(userinfo_claims)?;
 
         if let Some(map) = data2.as_object() {
@@ -243,7 +253,6 @@ impl OpenIdAuthenticator {
                 data[key] = value.clone();
             }
         }
-
         Ok(data)
     }
 }
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-06-04 10:16 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-06 12:01 [pve-devel] [PATCH proxmox/proxmox-openid] fix #5076: Added extra audience verification checks Alexander Abraham
2025-02-17  8:54 ` Dominik Csapak
2025-06-04 10:17   ` Alexander Abraham

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal