-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.15.x: revert bound audiences behavior change #308
Conversation
@@ -269,69 +445,6 @@ func testLogin_JWT(t *testing.T, jwks bool) { | |||
} | |||
} | |||
|
|||
// Test bound audiences unset, claims "aud" set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test case is captured in the new test
fmt.Println() | ||
fmt.Println(authURL) | ||
fmt.Println() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fmt.Println() | |
fmt.Println(authURL) | |
fmt.Println() | |
fmt.Println() | |
fmt.Println(authURL) | |
fmt.Println() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice tests!
fmt.Println() | ||
fmt.Println(authURL) | ||
fmt.Println() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fmt.Println() | |
fmt.Println(authURL) | |
fmt.Println() |
Description
This PR proposes to revert the change made in #295 to address CVE-2024-5798.
We add a new test
TestLoginBoundAudiences
to test the behavior expectations.Background
#295 fixed a bug where the login JWT's
aud
claim is ignored if it is a single string. The net effect is that the role'sbound_audiences
parameter must match at least one of the JWT'saud
claims if the token has anaud
claim.Since the behavior change is a breaking change, we are reverting the change in the Vault versions after 1.15.10 and 1.16.4. However, the behavior change will go into effect in Vault 1.17 and later.
Relates