MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2024-12-25 22:55:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

always validate JWT token audience (#12797)

Browse Source 
audience for the JWT token should match
the configured client_id, this allows
rejecting valid JWTs not meant for MinIO.
This commit is contained in:
Harshavardhana 2021-07-26 19:40:15 -07:00 committed by GitHub
parent a9d9b520ec
commit ddcd419b4c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cmd/sts-handlers.go
View File

@ -58,6 +58,7 @@ const (
// JWT claim keys // JWT claim keys
expClaim = "exp" expClaim = "exp"
subClaim = "sub" subClaim = "sub"
audClaim = "aud"
issClaim = "iss" issClaim = "iss"
// JWT claim to check the parent user // JWT claim to check the parent user
@ -332,13 +333,25 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
return return
} }
var audFromToken string
if v, ok := m[audClaim]; ok {
audFromToken, _ = v.(string)
}
var subFromToken string var subFromToken string
if v, ok := m[subClaim]; ok { if v, ok := m[subClaim]; ok {
subFromToken, _ = v.(string) subFromToken, _ = v.(string)
} }
if subFromToken == "" { if subFromToken == "" {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory")) writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
return
}
if audFromToken != globalOpenIDConfig.ClientID {
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID"))
return return
} }