Fix #4877 to follow the OpenID Connect Audiences spec (#4878)

Signed-off-by: Gabriel Robertson <overminddl1@gmail.com>

1 files changed, 29 insertions, 1 deletions

diff --git a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
index 44419ba15f..a4ff1d40ff 100644
--- a/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
+++ b/vendor/github.com/markbates/goth/providers/openidConnect/openidConnect.go
@@ -200,7 +200,17 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 func (p *Provider) validateClaims(claims map[string]interface{}) (time.Time, error) {
 	audience := getClaimValue(claims, []string{audienceClaim})
 	if audience != p.ClientKey {
-		return time.Time{}, errors.New("audience in token does not match client key")
+		found := false
+		audiences := getClaimValues(claims, []string{audienceClaim})
+		for _, aud := range audiences {
+			if aud == p.ClientKey {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return time.Time{}, errors.New("audience in token does not match client key")
+		}
 	}
 
 	issuer := getClaimValue(claims, []string{issuerClaim})
@@ -355,6 +365,24 @@ func getClaimValue(data map[string]interface{}, claims []string) string {
 	return ""
 }
 
+func getClaimValues(data map[string]interface{}, claims []string) []string {
+	var result []string
+
+	for _, claim := range claims {
+		if value, ok := data[claim]; ok {
+			if stringValues, ok := value.([]interface{}); ok {
+				for _, stringValue := range stringValues {
+					if s, ok := stringValue.(string); ok && len(s) > 0 {
+						result = append(result, s)
+					}
+				}
+			}
+		}
+	}
+
+	return result
+}
+
 // decodeJWT decodes a JSON Web Token into a simple map
 // http://openid.net/specs/draft-jones-json-web-token-07.html
 func decodeJWT(jwt string) (map[string]interface{}, error) {