From d038fb2c7af11d884dc15683a76a4e1b49aa84e2 Mon Sep 17 00:00:00 2001 From: Gerard Guillemas Martos Date: Mon, 12 Aug 2024 18:05:19 +0200 Subject: [PATCH] Disable default audience validation also for JWKS (#4495) --- core/src/iam/jwks.rs | 12 +++++++++++- core/src/iam/verify.rs | 3 ++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/core/src/iam/jwks.rs b/core/src/iam/jwks.rs index c7e8b7dc..09d41014 100644 --- a/core/src/iam/jwks.rs +++ b/core/src/iam/jwks.rs @@ -203,7 +203,17 @@ pub(super) async fn config( // Return verification configuration if a decoding key can be retrieved from the JWK object match DecodingKey::from_jwk(&jwk) { - Ok(dec) => Ok((dec, Validation::new(alg))), + Ok(dec) => { + let mut val = Validation::new(alg); + + // TODO(gguillemas): This keeps the existing behavior as of SurrealDB 2.0.0-alpha.9. + // Up to that point, a fork of the "jsonwebtoken" crate in version 8.3.0 was being used. + // Now that the audience claim is validated by default, we could allow users to leverage this. + // This will most likely involve defining an audience string via "DEFINE ACCESS ... TYPE JWT". + val.validate_aud = false; + + Ok((dec, val)) + } Err(err) => { warn!("Failed to retrieve decoding key from JWK object: '{}'", err); Err(Error::InvalidAuth) // Return opaque error diff --git a/core/src/iam/verify.rs b/core/src/iam/verify.rs index cb5a695a..7427c86e 100644 --- a/core/src/iam/verify.rs +++ b/core/src/iam/verify.rs @@ -60,7 +60,7 @@ fn config(alg: Algorithm, key: &[u8]) -> Result<(DecodingKey, Validation), Error // TODO(gguillemas): This keeps the existing behavior as of SurrealDB 2.0.0-alpha.9. // Up to that point, a fork of the "jsonwebtoken" crate in version 8.3.0 was being used. - // Now that the audience claim is validated by default, we should allow users to leverage this. + // Now that the audience claim is validated by default, we could allow users to leverage this. // This will most likely involve defining an audience string via "DEFINE ACCESS ... TYPE JWT". val.validate_aud = false; @@ -1801,6 +1801,7 @@ mod tests { iss: Some("surrealdb-test".to_string()), iat: Some(Utc::now().timestamp()), nbf: Some(Utc::now().timestamp()), + aud: Some(Audience::Single("surrealdb-test".to_string())), exp: Some((Utc::now() + Duration::hours(1)).timestamp()), ns: Some("test".to_string()), db: Some("test".to_string()),