Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audience claim validation required if token contains a list of audiences only #274

Closed
kacper1112 opened this issue Feb 1, 2024 · 6 comments · Fixed by #295
Closed

Audience claim validation required if token contains a list of audiences only #274

kacper1112 opened this issue Feb 1, 2024 · 6 comments · Fixed by #295

Comments

@kacper1112
Copy link

Hi,
I ran into this issue when preparing my Vault configuration for the upcoming GitLab 17 update. See this issue for more context.

According to RFC 7519

If the principal
processing the claim does not identify itself with a value in the
"aud" claim when this claim is present, then the JWT MUST be
rejected.

In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value. In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value.

My understanding is, that if the claim is present in the token, it has to be validated. The problem is that Vault only enforces this rule if the value of aud is an array. If the value of aud is a plain string, and bound_audiences is not set on the auth role, the token is accepted.

With the following configuration:

vault write auth/jwt/config -<<EOF
{
  "jwks_url":"https://my.gitlab.com/-/jwks"
}
EOF

vault write auth/jwt/role/example-role -<<EOF
{
  "role_type": "jwt",
  "user_claim": "sub",
  "bound_claims": {
    "iss":[
      "my.gitlab.com",
      "https://my.gitlab.com"
    ],
    "ref_protected": "false",
    "project_id": "217950"
  }
}
EOF

An attempt to login with a JWT (assuming iss and other bound_claims match) where

  1. "aud": "https://my.gitlab.com" will pass
  2. "aud": [ "https://my.gitlab.com" ] will fail with audience claim found in JWT but no audiences bound to the role

Is this expected behaviour? Could not find any note in the documentation and it also does not seem right looking at the RFC.

Tested with Vault 1.14.8 and 1.15.5.

@mcollao-hc
Copy link

Hey @kacper1112, this issue should be fixed in an upcoming release of Vault with #295.

We're also planning to reserve a CVE since this posed a vulnerability. If you would like to be credited in the CVE, please reply back with how you would want it presented (e.g. kacper1112 or your full name). Thanks for the issue report!

@kacper1112
Copy link
Author

Hey @mcollao-hc, thanks for resolving this.

If that's still viable I would appreciate being credited with my full name - Kacper Stysiński.

@fairclothjm
Copy link
Contributor

Fixed by #295

@kacper1112
Copy link
Author

Hey @fairclothjm, @mcollao-hc are you still planning to / already had reserved a CVE for this issue? Just curious, thanks.

@mcollao-hc
Copy link

Hey @kacper1112, CVE-2024-5798 is assigned to this. Will be made public soon.

@mcollao-hc
Copy link

@kacper1112 https://discuss.hashicorp.com/t/hcsec-2024-11-vault-incorrectly-validated-json-web-tokens-jwt-audience-claims/67770.

Thank you for your report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants