mirror of
https://github.com/minio/minio.git
synced 2024-12-25 06:35:56 -05:00
always validate JWT token audience (#12797)
audience for the JWT token should match the configured client_id, this allows rejecting valid JWTs not meant for MinIO.
This commit is contained in:
parent
a9d9b520ec
commit
ddcd419b4c
@ -58,6 +58,7 @@ const (
|
|||||||
// JWT claim keys
|
// JWT claim keys
|
||||||
expClaim = "exp"
|
expClaim = "exp"
|
||||||
subClaim = "sub"
|
subClaim = "sub"
|
||||||
|
audClaim = "aud"
|
||||||
issClaim = "iss"
|
issClaim = "iss"
|
||||||
|
|
||||||
// JWT claim to check the parent user
|
// JWT claim to check the parent user
|
||||||
@ -332,13 +333,25 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var audFromToken string
|
||||||
|
if v, ok := m[audClaim]; ok {
|
||||||
|
audFromToken, _ = v.(string)
|
||||||
|
}
|
||||||
|
|
||||||
var subFromToken string
|
var subFromToken string
|
||||||
if v, ok := m[subClaim]; ok {
|
if v, ok := m[subClaim]; ok {
|
||||||
subFromToken, _ = v.(string)
|
subFromToken, _ = v.(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
if subFromToken == "" {
|
if subFromToken == "" {
|
||||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
|
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
|
||||||
|
errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if audFromToken != globalOpenIDConfig.ClientID {
|
||||||
|
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
|
||||||
|
errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user