Validate audience with entityIssuer if present, use redirectURI otherwise

This commit is contained in:
Phu Kieu 2017-04-06 14:04:20 -07:00
parent 40f0265ab4
commit 47897f73fa
2 changed files with 8 additions and 2 deletions

View File

@ -40,6 +40,8 @@ connectors:
# insecureSkipSignatureValidation: true # insecureSkipSignatureValidation: true
# Optional: Issuer value for AuthnRequest # Optional: Issuer value for AuthnRequest
# Must be contained within the "AudienceRestriction" attribute in all responses
# If not set, redirectURI will be used for audience validation
entityIssuer: https://dex.example.com/callback entityIssuer: https://dex.example.com/callback
# Optional: Issuer value for SAML Response # Optional: Issuer value for SAML Response

View File

@ -466,6 +466,10 @@ func (p *provider) validateConditions(assertion *assertion) error {
} }
} }
// Validates audience // Validates audience
audienceValue := p.entityIssuer
if audienceValue == "" {
audienceValue = p.redirectURI
}
audienceRestriction := conditions.AudienceRestriction audienceRestriction := conditions.AudienceRestriction
if audienceRestriction != nil { if audienceRestriction != nil {
audiences := audienceRestriction.Audiences audiences := audienceRestriction.Audiences
@ -473,14 +477,14 @@ func (p *provider) validateConditions(assertion *assertion) error {
values := make([]string, len(audiences)) values := make([]string, len(audiences))
issuerInAudiences := false issuerInAudiences := false
for i, audience := range audiences { for i, audience := range audiences {
if audience.Value == p.redirectURI { if audience.Value == audienceValue {
issuerInAudiences = true issuerInAudiences = true
break break
} }
values[i] = audience.Value values[i] = audience.Value
} }
if !issuerInAudiences { if !issuerInAudiences {
return fmt.Errorf("required audience %s was not in Response audiences %s", p.redirectURI, values) return fmt.Errorf("required audience %s was not in Response audiences %s", audienceValue, values)
} }
} }
} }