JWT verification fails with audience claim

[russelldavies]

In the jose library if the aud claim is present in the JWT then during verification it validates this claim.

Currently, there is no way to disable this or set the audience claim so verification is unsuccessful. Specifically, the JWTNotInAudience message is generated during JWT verification.

[begriffs]

Can you provide more information please, such as the http request and error message?

[russelldavies]

@begriffs I accidentally tabbed and hit return and the form posted before I had a chance to finish typing. I've edited it now.

[begriffs]

Oh man that sounds bad, so if aud is present then it just lets any claim through??

[russelldavies]

Not at all, it just fails with a JWTNotInAudience error. In the defaultJWTValidationSettings unless the aud claim is set to what is in the JWT aud claim then the JWT is rejected.

So a solution is to either disable this check or to instruct the jose library what the audience to check should be, through the postgrest configuration file.

[willscripted]

^^ So,

if `aud`
  verify against value in pgrst-config

That sounds like it wouldn't break anything for existing deployments.

[begriffs]

Yeah sounds straightforward. I'll open a PR to implement this.

[statik]

I've managed to configure postgrest 0.4.3 with a JWK retrieved from keycloak, and specify a custom mapper in keycloak so that I can force a "role" claim to be included in the JWT to satisfy postgrest. However, I'm now running into the error JWTNotInAudience from postgrest. I have not been able to find any way to configure keycloak to leave the "aud" claim out of the JWT, so I think the workaround for Auth0 isn't viable for keycloak.

I'm pretty newbie to haskell but interested in helping with this if the PR is not already written as I have already invested a bunch of time figuring out keycloak and this seems to be the last missing piece to get postgrest working with keycloak.

[marsouin]

@statik this is great, I have the same issue, can I update Postgrest with your work?

[statik]

@marsouin this was just merged to master an hour ago, I am currently running with a version I built from source until the next release comes out and it's working ok for me.

[marsouin]

Oh awesome! Any tips on building it? I'm very new to Haskell...

[russelldavies]

@marsouin The build instructions cover this.

[russelldavies]

I've created a pull request in the docs for this (PostgREST/postgrest-docs#106) so closing this now.