[pve-devel] [PATCH proxmox/proxmox-openid] fix #5076: Added extra audience verification checks.

Thu Feb 6 13:01:54 CET 2025

Two things were added to the proxmox-openid crate to fix
bug #5076: i) the function to require strict audience checking
was called and ii) an extra verifier function was added to check
if the configured audiences match the receieved audiences.

Signed-off-by: Alexander Abraham <a.abraham at proxmox.com>
---
 proxmox-openid/src/lib.rs | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/proxmox-openid/src/lib.rs b/proxmox-openid/src/lib.rs
index fe65fded..396f55cd 100644
--- a/proxmox-openid/src/lib.rs
+++ b/proxmox-openid/src/lib.rs
@@ -1,10 +1,9 @@
 #![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
 
-use std::path::Path;
-
 use anyhow::{format_err, Error};
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
+use std::path::Path;
 
 mod http_client;
 pub use http_client::http_client;
@@ -53,6 +52,8 @@ pub struct OpenIdConfig {
     pub prompt: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub acr_values: Option<Vec<String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<Vec<String>>,
 }
 
 pub struct OpenIdAuthenticator {
@@ -204,21 +205,32 @@ impl OpenIdAuthenticator {
             .set_pkce_verifier(private_auth_state.pkce_verifier())
             .request(http_client)
             .map_err(|err| format_err!("Failed to contact token endpoint: {}", err))?;
-
-        let id_token_verifier: CoreIdTokenVerifier = self.client.id_token_verifier();
         let id_token_claims: &CoreIdTokenClaims = token_response
             .extra_fields()
             .id_token()
             .expect("Server did not return an ID token")
-            .claims(&id_token_verifier, &private_auth_state.nonce)
+            .claims(
+                &((self.client.id_token_verifier() as CoreIdTokenVerifier)
+                    .require_audience_match(true)
+                    .set_other_audience_verifier_fn(|aud| {
+                        let curr_aud: &String = &**aud;
+                        if &self.config.client_id == curr_aud {
+                            true
+                        } else {
+                            match self.config.aud.as_ref() {
+                                Some(confd_auds) => confd_auds.contains(curr_aud),
+                                None => false,
+                            }
+                        }
+                    })),
+                &private_auth_state.nonce,
+            )
             .map_err(|err| format_err!("Failed to verify ID token: {}", err))?;
-
         let userinfo_claims: GenericUserInfoClaims = self
             .client
             .user_info(token_response.access_token().to_owned(), None)?
             .request(http_client)
             .map_err(|err| format_err!("Failed to contact userinfo endpoint: {}", err))?;
-
         Ok((id_token_claims.clone(), userinfo_claims))
     }
 
@@ -230,9 +242,7 @@ impl OpenIdAuthenticator {
     ) -> Result<Value, Error> {
         let (id_token_claims, userinfo_claims) =
             self.verify_authorization_code(code, private_auth_state)?;
-
         let mut data = serde_json::to_value(id_token_claims)?;
-
         let data2 = serde_json::to_value(userinfo_claims)?;
 
         if let Some(map) = data2.as_object() {
@@ -243,7 +253,6 @@ impl OpenIdAuthenticator {
                 data[key] = value.clone();
             }
         }
-
         Ok(data)
     }
 }
-- 
2.39.5



