Skip to content

Commit

Permalink
[SECVULN-1532] chore: Remove TODO comments for OIDC/JWT auth (#19700)
Browse files Browse the repository at this point in the history
chore: Remove TODO comments for OIDC/JWT auth

Remove old TODO comments and update remaining comments for clarity.
  • Loading branch information
zalimeni authored Nov 20, 2023
1 parent bfb3a43 commit 58cc6ed
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
1 change: 0 additions & 1 deletion internal/go-sso/oidcauth/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@ type Config struct {

// Comma-separated list of 'aud' claims that are valid for login; any match
// is sufficient
// TODO(sso): actually just send these down as string claims?
BoundAudiences []string

// Mappings of claims (key) that will be copied to a metadata field
Expand Down
3 changes: 2 additions & 1 deletion internal/go-sso/oidcauth/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,8 @@ func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (m
if err := idToken.Claims(&allClaims); err != nil {
return nil, fmt.Errorf("unable to successfully parse all claims from token: %v", err)
}
// TODO(sso): why isn't this strict for OIDC?
// Follows behavior of hashicorp/vault-plugin-auth-jwt (non-strict validation).
// See https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/oidc#oidc-configuration-troubleshooting.
if err := validateAudience(a.config.BoundAudiences, idToken.Audience, false); err != nil {
return nil, fmt.Errorf("error validating claims: %v", err)
}
Expand Down

0 comments on commit 58cc6ed

Please sign in to comment.