feat: validate aud payload

Author: hlab-pawat

jwt.go

@@ -49,6 +49,7 @@ type Config struct {
 	JwtCookieKey       string // Deprecated: use JwtSources instead
 	JwtQueryKey        string // Deprecated: use JwtSources instead
 	JwtSources         []map[string]string
+	Aud                string
 }
 
 // CreateConfig creates a new OPA Config
@@ -79,6 +80,7 @@ type JwtPlugin struct {
 	opaResponseHeaders map[string]string
 	opaHttpStatusField string
 	jwtSources         []map[string]string
+	aud                string
 
 	name            string
 	keysLock        sync.RWMutex
@@ -192,6 +194,7 @@ func New(ctx context.Context, next http.Handler, config *Config, pluginName stri
 		opaResponseHeaders: config.OpaResponseHeaders,
 		opaHttpStatusField: config.OpaHttpStatusField,
 		jwtSources:         config.JwtSources,
+		aud:                config.Aud,
 		name:               pluginName,
 	}
 	// use default order if jwtSourceOrder is set
@@ -473,6 +476,43 @@ func (jwtPlugin *JwtPlugin) CheckToken(request *http.Request, rw http.ResponseWr
 					return 0, fmt.Errorf("token not valid yet")
 				}
 			}
+			if fieldName == "aud" && jwtPlugin.aud != "" {
+				audValue := jwtToken.Payload["aud"]
+				switch v := audValue.(type) {
+				case string:
+					if v != jwtPlugin.aud {
+						logError(fmt.Sprintf("Token audience mismatch, expected %s got %s", jwtPlugin.aud, v)).
+							withSub(sub).
+							withUrl(request.URL.String()).
+							withNetwork(jwtPlugin.remoteAddr(request)).
+							print()
+						return 0, fmt.Errorf("token audience mismatch")
+					}
+				case []interface{}:
+					found := false
+					for _, a := range v {
+						if aStr, ok := a.(string); ok && aStr == jwtPlugin.aud {
+							found = true
+							break
+						}
+					}
+					if !found {
+						logError(fmt.Sprintf("Token audience not found in list, expected %s", jwtPlugin.aud)).
+							withSub(sub).
+							withUrl(request.URL.String()).
+							withNetwork(jwtPlugin.remoteAddr(request)).
+							print()
+						return 0, fmt.Errorf("token audience not found in list")
+					}
+				default:
+					logError("Token audience has invalid type").
+						withSub(sub).
+						withUrl(request.URL.String()).
+						withNetwork(jwtPlugin.remoteAddr(request)).
+						print()
+					return 0, fmt.Errorf("token audience has invalid type")
+				}
+			}
 		}
 		for k, v := range jwtPlugin.jwtHeaders {
 			_, ok := jwtToken.Payload[v]

jwt_test.go

@@ -1311,3 +1311,107 @@ func mustParseUrl(urlStr string) *url.URL {
 	}
 	return u
 }
+
+func TestServeHTTPAudience(t *testing.T) {
+	tests := []struct {
+		Name       string
+		Fields     []string
+		Aud        string
+		Claims     string
+		err        string
+		nextCalled bool
+	}{
+		{
+			Name:       "valid string audience",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{"aud": "my-api"}`,
+			err:        "",
+			nextCalled: true,
+		},
+		{
+			Name:       "valid array audience",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{"aud": ["other-api", "my-api"]}`,
+			err:        "",
+			nextCalled: true,
+		},
+		{
+			Name:       "invalid string audience",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{"aud": "other-api"}`,
+			err:        "token audience mismatch",
+			nextCalled: false,
+		},
+		{
+			Name:       "invalid array audience",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{"aud": ["other-api", "another-api"]}`,
+			err:        "token audience not found in list",
+			nextCalled: false,
+		},
+		{
+			Name:       "missing audience when required",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{}`,
+			err:        "payload missing required field aud",
+			nextCalled: false,
+		},
+		{
+			Name:       "audience not configured",
+			Fields:     []string{"aud"},
+			Aud:        "",
+			Claims:     `{"aud": "my-api"}`,
+			err:        "",
+			nextCalled: true,
+		},
+		{
+			Name:       "invalid audience type",
+			Fields:     []string{"aud"},
+			Aud:        "my-api",
+			Claims:     `{"aud": 123}`,
+			err:        "token audience has invalid type",
+			nextCalled: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			ctx := context.Background()
+			nextCalled := false
+			next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { nextCalled = true })
+
+			jwt, err := New(ctx, next, &Config{
+				PayloadFields: tt.Fields,
+				Aud:           tt.Aud,
+			}, "test-traefik-jwt-plugin")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			recorder := httptest.NewRecorder()
+
+			req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			req.Header["Authorization"] = []string{"Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9." + base64.RawURLEncoding.EncodeToString([]byte(tt.Claims)) + ".JlX3gXGyClTBFciHhknWrjo7SKqyJ5iBO0n-3S2_I7cIgfaZAeRDJ3SQEbaPxVC7X8aqGCOM-pQOjZPKUJN8DMFrlHTOdqMs0TwQ2PRBmVAxXTSOZOoEhD4ZNCHohYoyfoDhJDP4Qye_FCqu6POJzg0Jcun4d3KW04QTiGxv2PkYqmB7nHxYuJdnqE3704hIS56pc_8q6AW0WIT0W-nIvwzaSbtBU9RgaC7ZpBD2LiNE265UBIFraMDF8IAFw9itZSUCTKg1Q-q27NwwBZNGYStMdIBDor2Bsq5ge51EkWajzZ7ALisVp-bskzUsqUf77ejqX_CBAqkNdH1Zebn93A"}
+
+			jwt.ServeHTTP(recorder, req)
+
+			if tt.nextCalled != nextCalled {
+				t.Fatalf("Expected next.ServeHTTP called: %v, got: %v", tt.nextCalled, nextCalled)
+			}
+			if tt.err != "" {
+				if strings.TrimSpace(recorder.Body.String()) != tt.err {
+					t.Fatalf("Expected error: %s, got: %s", tt.err, recorder.Body.String())
+				}
+			}
+		})
+	}
+}