forked from mystiq/dex
Validate audience with entityIssuer if present, use redirectURI otherwise
This commit is contained in:
parent
40f0265ab4
commit
47897f73fa
2 changed files with 8 additions and 2 deletions
|
@ -40,6 +40,8 @@ connectors:
|
|||
# insecureSkipSignatureValidation: true
|
||||
|
||||
# Optional: Issuer value for AuthnRequest
|
||||
# Must be contained within the "AudienceRestriction" attribute in all responses
|
||||
# If not set, redirectURI will be used for audience validation
|
||||
entityIssuer: https://dex.example.com/callback
|
||||
|
||||
# Optional: Issuer value for SAML Response
|
||||
|
|
|
@ -466,6 +466,10 @@ func (p *provider) validateConditions(assertion *assertion) error {
|
|||
}
|
||||
}
|
||||
// Validates audience
|
||||
audienceValue := p.entityIssuer
|
||||
if audienceValue == "" {
|
||||
audienceValue = p.redirectURI
|
||||
}
|
||||
audienceRestriction := conditions.AudienceRestriction
|
||||
if audienceRestriction != nil {
|
||||
audiences := audienceRestriction.Audiences
|
||||
|
@ -473,14 +477,14 @@ func (p *provider) validateConditions(assertion *assertion) error {
|
|||
values := make([]string, len(audiences))
|
||||
issuerInAudiences := false
|
||||
for i, audience := range audiences {
|
||||
if audience.Value == p.redirectURI {
|
||||
if audience.Value == audienceValue {
|
||||
issuerInAudiences = true
|
||||
break
|
||||
}
|
||||
values[i] = audience.Value
|
||||
}
|
||||
if !issuerInAudiences {
|
||||
return fmt.Errorf("required audience %s was not in Response audiences %s", p.redirectURI, values)
|
||||
return fmt.Errorf("required audience %s was not in Response audiences %s", audienceValue, values)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue