Fix #4877 to follow the OpenID Connect Audiences spec (#4878)

Signed-off-by: Gabriel Robertson <overminddl1@gmail.com>

diff --git a/Gopkg.lock b/Gopkg.lock
index 7126f73642b2c318d1e50ae7d99ca3cbd029196d..056d8fd6f77bf96791069f42f2922e7817a8fd20 100644 (file)
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -547,7 +547,7 @@
   revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf"
 
 [[projects]]
-  digest = "1:fb22af9d8c1a6166ad299705648db460ba2c28a830f7f6cdd830019d7c3fd96f"
+  digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f"
   name = "github.com/markbates/goth"
   packages = [
     ".",
@@ -562,8 +562,8 @@
     "providers/twitter",
   ]
   pruneopts = "NUT"
-  revision = "4933f155d89c3c52ab4ca545c6602cf4a1e87913"
-  version = "1.45.5"
+  revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3"
+  version = "v1.46.1"
 
 [[projects]]
   digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3"

diff --git a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
index 44419ba15f6019d056fdeda24a0657d7ae46cfcd..a4ff1d40ff267fb6316356a3d430789286a0dd6d 100644 (file)
--- a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
+++ b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
@@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
        audience := getClaimValue(claims, []string{audienceClaim})
        if audience != p.ClientKey {
-               return time.Time{}, errors.New("audience in token does not match client key")
+               found := false
+               audiences := getClaimValues(claims, []string{audienceClaim})
+               for _, aud := range audiences {
+                       if aud == p.ClientKey {
+                               found = true
+                               break
+                       }
+               }
+               if !found {
+                       return time.Time{}, errors.New("audience in token does not match client key")
+               }
        }
 
        issuer := getClaimValue(claims, []string{issuerClaim})
@@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string {
        return ""
 }
 
+func getClaimValues(data map[string]interface{}, claims []string) []string {
+       var result []string
+
+       for _, claim := range claims {
+               if value, ok := data[claim]; ok {
+                       if stringValues, ok := value.([]interface{}); ok {
+                               for _, stringValue := range stringValues {
+                                       if s, ok := stringValue.(string); ok && len(s) > 0 {
+                                               result = append(result, s)
+                                       }
+                               }
+                       }
+               }
+       }
+
+       return result
+}
+
 // decodeJWT decodes a JSON Web Token into a simple map
 // http://openid.net/specs/draft-jones-json-web-token-07.html
 func decodeJWT(jwt string) (map[string]interface{}, error) {