-
Notifications
You must be signed in to change notification settings - Fork 994
Security Vulnerability: failed type assertion leads to bypassing Audience verification #422
Comments
FYI the snippet has expired on the playground. |
The original one: https://play.golang.org/p/Pnvvqfehl9K |
It looks like this is addressed in v4, which uses go modules, proposed changes seem identical
|
I believe #286 will fix this for older versions. |
I am not sure if using V4 is sufficient. The library seems to be abandoned. It might be better to use another JWT compliant from https://jwt.io/ |
So this is problem when:
I would say it is a problem when you are reusing token signing keys for multiple sites/applications (even for sites that you are not meaning to use - by So easiest workaround till fix is - make sure that you are not reusing signing keys (for applications that have different audience one thing - If you have set |
* Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422). form3tech-oss/jwt-go is a fork that has fixed the vulnerability.
* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag * Add syntax highlight * expose CookieMaxAge in samlsp Options * Enable persistent name id format (crewjam#107) * Enable persistent name id format * add ability to set the domain for the cookies (crewjam#95) * Fixed script hash to remove JS console errors when redirecting (crewjam#117) @RichardKnop PR#94 * saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (crewjam#116) * Use dep package manager (crewjam#114) * use dep package manager * updated travis * Fix example code so that it compiles (crewjam#118) * expose ForceAuthn (crewjam#119) * fix validUntil in SPSSODescriptor fixes crewjam#123 * samlsp.Middleware.SecureCookie option (crewjam#128) * remove cruft * update README * fix some minor lint / style errors * samlsp: use current time for the JWT rather than the IssueInstant from the assertion (crewjam#130) fixes crewjam#122 jwt-go not support leeway parameter * travis cleanup: remove older go versions (crewjam#132) * samlsp: remove X-Saml headers in favor of attaching Claims to request context (crewjam#131) * samlsp: move the setting and reading of cookies into an interface (crewjam#133) We’ve had a bunch of changes requesting the ability to customize how cookies are set and it is getting a little messy. This change moves the code to setting and reading cookies into two interfaces which you can extend/customize. * add field to IdpAuthnRequest so you can externally control the “current” time (crewjam#136) The default is obviously the current time, but for various reasons you may wish to evaluate the response at a different reference time, for example processing a response that has been deferred. We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently. * idp: handle assertions where no ACS url is specified (crewjam#139) * add test cases for SAML comment injection (crewjam#140) ref: CVE-2017-11427 ref: CVE-2017-11428 ref: CVE-2017-11429 ref: CVE-2017-11430 ref: CVE-2018-0489 ref: CVE-2018-7340 ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations * Update PGP key in README.md * make MaxIssueDelay configurable at runtime (mini-hack) * Remove the default xmlns from the expected output because the encoder does not reset the default. Should resolve the test for issue 152. (crewjam#158) * Added Travis badge (crewjam#159) * Fixed some typos in the README.md file. (crewjam#160) * dep ensure [ch16254] (crewjam#156) * add the ability to use custom cookie names and domain * fix missing time on IDP-initiated IdpAuthnRequest (crewjam#147) * added godoc badge to README.md (crewjam#143) * made selected binding configureable (crewjam#144) * Fix AES decryption (crewjam#142) Fix AES decryption by decrypting the EncryptedKey from the response, and passing the decrypted key to the data encryption. * idp: Allow intermediates to be encoded in signature (crewjam#127) * idp: Make signature method configurable (crewjam#126) * Removed %s format for claims audience not matching Provider EntityID for crewjam#154 (crewjam#161) * add support for a logout URL binding * add stale integration ref: https://probot.github.io/apps/stale/ * add support for other external middleware (crewjam#184) Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods. * crewjam#192: Support multiple IdP signing certificates * crewjam#192: Account for Go/check changes. * Handle root URL's with trailing slash * crewjam#194: Properly default EncryptionMethod/DigestMethod when not present. * Allow AudienceRestriction to be missing re crewjam#198 * Don't include the port with the domain when setting the cookie (crewjam#202) * update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (crewjam#217) * Don't require Destination attribute in response when response is not signed (crewjam#213) * Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * Check Destination when present, even if response unsigned * Replaces testshib.org with samltest.id in the README (crewjam#211) Fixes crewjam#201 * Set the default domain for cookies properly (crewjam#187) Fixes crewjam#186. * Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds. * Adding support for eduPersonScopedAffiliation * Add in actual attribute evaluation for eduPersonScopedAffiliation. * Fix typo for idp example path in readme (crewjam#170) * omit validUntil if empty (crewjam#190) * Prevent panic caused by IDP-initiated login (crewjam#183) * - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link. - Guard against an IDP-initiated request that may not have the request ID in the claims. - Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed. * Only address the panic in IDP-initiated login (#1) This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins. I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP. * SP: Add capability to provide intermediate certs (crewjam#178) * remove bad import * remove log junk * fix compile error * Gopkg -> go.mod * tests: convert from go-check to testify * lint with golangci-lint * lint with golangci-lint * fix go.mod * fix travis configuration * fix travis configuration * Use RS256 rather than HS256 Using HS256 with the RSA private key (serialised as ASN.1 according to PKCS1) as the secret is unconventional and perhaps dangerous. The string of bytes isn't entirely random given that it starts with the version number. The encoded RSA key will be larger than the block size of the underlying hash and so to create a secret, the RSA key will be hashed. A more important problem is that we should be able to validate a jwt issued by the middleware with just the RSA public key. By moving to RS256, we can validate jwts without sharing the private key. Fix randomBytes: should ensure that the entire buffer is full. * Add Single Logout data structure * Set session NameID based on email * update test expectations * removed mandatory check for validating embedded certificate for rsa * Rename validateRSAKey to validateRSAKeyIfPresent Now that the validation is optional, the previous name did not accurately reflected the intention. * Removes unused dependencies Ran go mod tidy to remove golangci-lint as that isn't actally needed for this project. Its inclusion result in a huge number of dependencies to be imported. * travis: pin golangci-lint version * Bump github.com/beevik/etree from 1.0.1 to 1.1.0 Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/beevik/etree/releases) - [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md) - [Commits](beevik/etree@v1.0.1...v1.1.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * update test expectations * Return status code if not success * Make cert optional for ServiceProvider.Metadata() * Add test case from OneLogin This adds a test case provided by @fredipevcin in [https://github.com/crewjam/saml/pull/25](PR25) that makes sure we can parse cases where the assertion is signed rather than the whole message. This has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work. * Remove 'Failing' from certificate missing check * (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * update readme to reflect our inability to produce encrypted assertions re crewjam#179 * fix bad merge * golangci: require comments, add a few missing ones * golangci: require comments, add a few missing ones * update test expectations * schema: don't include empty Format attributes in samlp:NameIDPolicyElement fixes crewjam#177 * make ValidDuration configurable for IDP. (crewjam#235) * refactor samlsp package to be more modular (crewjam#230) This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider): * RequestTracker which handles tracking pending authn requests. * Session which handles issuing session cookies. * OnError which handles reporting errors to both the user and any logging. The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations. This should make the *samlsp* package easier to extend to fit more use cases. Fixes crewjam#231 * Add optional callback for signature verification (crewjam#237) Fixes crewjam#234 * AllowIDPInitiated=true allows both IDP-initiated and normal (crewjam#240) * Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (crewjam#243) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.1.0...v0.2.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * add HTTPOnly bool to CookieSessionProvider (crewjam#248) * feat(slo): add logout response request validation (crewjam#247) * fix(slo): fix SessionIndex attribute in LogoutRequest (crewjam#245) * clean up README about breaking changes * feat(slo): add Bytes() and Deflate() functions for LogoutRequest (crewjam#251) Bytes() is needed in for returning a byte array for POST Binding. Deflate() is needed for compressing using gzip algorithm a LogoutRequest byte array. * fix(sp): no check for InResponseTo for if IDPInitiated is true (crewjam#259) * Add EntityID (crewjam#258) * feat: add Post / Redirect methods for LogoutRequest (crewjam#260) * Update README.md (crewjam#261) * Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (crewjam#263) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.4.0...v1.5.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (crewjam#264) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.0...v1.5.1) Signed-off-by: dependabot-preview[bot] <[email protected]> * Include a path when clearing the cookie (crewjam#278) Some browsers will refuse to remove a cookie that doesn't include the path * SessionNotOnOrAfter is serialized to XML if set (crewjam#292) It is currently possible to set SessionNotOnOrAfter directly on the Go structure, but it is not serialized to or deserialized from XML. * Fixes handling signed response with encrypted assertions (crewjam#273) When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (crewjam#294) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.2.0...v0.2.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (crewjam#288) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.1...v1.6.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Add support for signed authnRequest (crewjam#296) * Fixes handling signed response with encrypted assertions When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Add support for signed authnRequests * Update metadata.go (crewjam#297) Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"` fixes crewjam#295 * Allows configuring SameSite for session cookie (crewjam#276) Fixes crewjam#275 * fix lint errors & update test expectations * update README re: security issues * fix test expectation for go 1.15 * remove output cruft from xmlenc test * [SECURITY] bump version of goxmldsig [CVE-2020-15216] There was a signature validation bypass in goxmldsig, which saml uses to authenticate assertions. This change increments the dependent version of goxmldsig to a version that is no longer affected. For more information: GHSA-q547-gmf8-8jr7 * Merge pull request from GHSA-4hq8-gmxx-h6w9 This change validates that the XML input we receive is safe to parse before passing it to the standard library's XML parsing functions or the etree DOM parsing functions. This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511. TODO: is there going to be a go.mod version assigned to this on release? * fix version of xml-roundtrip-validator in go.mod * add SignLogoutResponse SignLogoutRequest MakeLogoutResponse * add SessionIndex to claims Attributes * Include a domain when clearing the cookie * identity_provider: extend session with CustomAttributes (crewjam#310) * add xUserId and xAccountId for session * add CustomAttributes for idp session content * fix: logout response element Response -> LogoutResponse (crewjam#305) * Spread the use of option SameSite to tracking cookies (crewjam#302) * fix formatting * travis -> github actions * fix typo in README * update test expectations * Stop validating InResponseTo when AllowIDPInitiated is set With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why: The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says: InResponseTo [Optional] The ID of a SAML protocol message in response to which an attesting entity can present the assertion. For example, this attribute might be used to correlate the assertion to a SAML request that resulted in its presentation. The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling) set a specific non-empty value for InResponseTo in IDP-initiated requests. Finally, it is unclear that there is significant security value in checking InResponseTo when we allow IDP initiated assertions. This issue has been reported quite a few times, including: Fixes crewjam#291 crewjam#286 crewjam#300 crewjam#301 crewjam#286 * set cookie domain when clearing request tracker cookie (crewjam#321) * samlsp: make middleware endpoints public (crewjam#323) * samlsp: remove deprecated fields (crewjam#324) * remove deprecated fields * update readme * add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set re crewjam#312 * samlsp: fix validating response with no issuer element (crewjam#328) * in tests, replace long strings with files we read from testdata/ * replace testify (which is more or less unmaintained) with gotest.tools * remove redundant []byte conversions * explicitly copy loop iterator variables This silences a warning from golangci-lint * fix spelling of test data file * add maintainer action to update dependencies * adjust maintainer action to update dependencies * Update go.mod * upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0 * upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5 * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1 * upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1 * upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad * Fix AuthN Request signing for HTTP-Redirect binding (crewjam#339) * Fix signing for HTTP-Redirect binding The currently implemented behavior for signing AuthN Requests where an enveloped signature is added in the XML Document, is appropriate only when the HTTP-POST binding is used. Signing for authentication requests when the HTTP-Redirect binding is in use, is described in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf section 3.4.4.1 and involves generating a signature of the deflated form of the AuthN request along with some other URL parameters, mainly because of URL length considerations. This commit implements proper AuthNRequest signing support according to the specification. * Add comment for function * linter is picky :) * SplitHostPort on DeleteSession (crewjam#335) * Add explicit tests for XSW (crewjam#338) XML Signature Wrapping attacks are unfortunately still very common in SAML implementations. crewjam/saml is not vulnerable to any XSW attacks as goxmldsig and this library's use of goxmldsig are safe. This commit adds a number of tests against common XSW attacks, so that these can serve as verification of the current safe state, prevent future regressions in crewjam/saml and detect possible future regressions in goxmldsig The numbering of the permutations of the XSW attack follows that of https://github.com/CompassSecurity/SAMLRaider and a visual depiction is available in https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png * Custom relayState generator (crewjam#337) * Update go.mod (crewjam#331) * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0 * upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670 Co-authored-by: Github Actions <[email protected]> * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (crewjam#336) * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.4...v0.5.5) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ross Kinder <[email protected]> * update README (crewjam#340) fixes crewjam#333 * Update go.mod (crewjam#342) * upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2 Co-authored-by: Github Actions <[email protected]> * Update go.mod (crewjam#343) Co-authored-by: crewjam <[email protected]> * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (crewjam#344) * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422). form3tech-oss/jwt-go is a fork that has fixed the vulnerability. * Upgrade to GitHub-native Dependabot (crewjam#346) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Make SP check more certs in IDP metadata (crewjam#353) From https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf ``` [E62]A use value of "signing" means that the contained key information is applicable to both signing and TLS/SSL operations performed by the entity when acting in the enclosing role. A use value of "encryption" means that the contained key information is suitable for use in wrapping encryption keys for use by the entity when acting in the enclosing role. If the use attribute is omitted, then the contained key information is applicable to both of the above uses. ``` We need to include certificates both when they have a "use" attribute of "signing" as well as when the "use" attribute is missing. Fixes crewjam#352 SAML input from @simmel. * bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157 * Fix merge problems * Fix valid until tests * req.now may not be initialized in MakeResponse() so use Now() * use TimeNow() * req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion() * Remove old code from comments, remove commented out Skip(broken) * use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter Co-authored-by: Donald Hoelle <[email protected]> Co-authored-by: Umayr Shahid <[email protected]> Co-authored-by: Dustin Decker <[email protected]> Co-authored-by: Ross Kinder <[email protected]> Co-authored-by: Bryce Fisher <[email protected]> Co-authored-by: Sevki <[email protected]> Co-authored-by: Paul Tötterman <[email protected]> Co-authored-by: Lucas <[email protected]> Co-authored-by: Beyang Liu <[email protected]> Co-authored-by: Nao YONASHIRO <[email protected]> Co-authored-by: Darrel Herbst <[email protected]> Co-authored-by: Neha Malviya <[email protected]> Co-authored-by: Josh Silvas <[email protected]> Co-authored-by: ☃ Elliot Shepherd <[email protected]> Co-authored-by: Christoph Hack <[email protected]> Co-authored-by: Volkan Gürel <[email protected]> Co-authored-by: Andrew Pilloud <[email protected]> Co-authored-by: jb <[email protected]> Co-authored-by: Stephen Kress <[email protected]> Co-authored-by: Geoff Bourne <[email protected]> Co-authored-by: Robin Wood <[email protected]> Co-authored-by: Noval Agung Prayogo <[email protected]> Co-authored-by: Chris Vermilion <[email protected]> Co-authored-by: Joe Siltberg <[email protected]> Co-authored-by: Daniel Cormier <[email protected]> Co-authored-by: Tom Bruno <[email protected]> Co-authored-by: Shane Jeffery <[email protected]> Co-authored-by: ferhat elmas <[email protected]> Co-authored-by: Christopher Goulet <[email protected]> Co-authored-by: Praneet Loke <[email protected]> Co-authored-by: Benjamin Schubert <[email protected]> Co-authored-by: Stevie Johnstone <[email protected]> Co-authored-by: Ryan Zhang <[email protected]> Co-authored-by: Grace Noah <[email protected]> Co-authored-by: Jon Gyllensward <[email protected]> Co-authored-by: gotjosh <[email protected]> Co-authored-by: Leonard Gram <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Michael Rauh <[email protected]> Co-authored-by: Matthew Steffen <[email protected]> Co-authored-by: Bryce Fisher <[email protected]> Co-authored-by: Jan Szumiec <[email protected]> Co-authored-by: aspeteRakete <[email protected]> Co-authored-by: Joe Siltberg <[email protected]> Co-authored-by: David Goeke <[email protected]> Co-authored-by: Daniel Hochman <[email protected]> Co-authored-by: Mathieu Mailhos <[email protected]> Co-authored-by: miketonks <[email protected]> Co-authored-by: (0x794E6).toString(36) <[email protected]> Co-authored-by: Andreas Fritzler <[email protected]> Co-authored-by: Ron Kuris <[email protected]> Co-authored-by: Andy Lindeman <[email protected]> Co-authored-by: Ricardo Andrade <[email protected]> Co-authored-by: bstrueb <[email protected]> Co-authored-by: Ross Kinder <[email protected]> Co-authored-by: neilli-sable <[email protected]> Co-authored-by: Alex Yan <[email protected]> Co-authored-by: Alan Shreve <[email protected]> Co-authored-by: AlekseyZolotuhin <[email protected]> Co-authored-by: Alexander Zobnin <[email protected]> Co-authored-by: Github Actions <[email protected]> Co-authored-by: Ioannis Kakavas <[email protected]> Co-authored-by: yuki2006 <[email protected]> Co-authored-by: Harold Alcala <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crewjam <[email protected]> Co-authored-by: Bay Grabowski <[email protected]> Co-authored-by: Patrik Lundin <[email protected]>
if
m["aud"]
happens to be[]string{}
, as allowed by the spec, the type assertion fails and the value ofaud
is""
. This can cause audience verification to succeed even if the audiences being passed are incorrect ifrequired
is set tofalse
.https://github.com/dgrijalva/jwt-go/blob/master/map_claims.go#L16
https://play.golang.org/p/Pnvvqfehl9K
The text was updated successfully, but these errors were encountered: