From c078ba20a6b11cb4e75ec983fde6f415964137b2 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 28 May 2026 12:22:09 +0200 Subject: [PATCH] auth: reject JWTs with mismatched azp or aud claims A JWT with the wrong authorized party or audience was previously silently falling through to the token exchange instead of being rejected. Not critical since signature verification would then fail, but but we should return the error directly on mismatch. --- pkg/auth/auth.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index 44814ea42..b640f5eef 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -275,9 +275,7 @@ func (s *Server) ValidateAndRetrieveAPIToken(accessToken string) (string, *APITo return "", nil, errors.New("failed to extract azp from JWT claims") } if azp != ClientID { - if !ok { - return "", nil, fmt.Errorf("failed to match expected azp: %s", azp) - } + return "", nil, fmt.Errorf("failed to match expected azp: %s", azp) } aud, ok := claims["aud"] @@ -286,9 +284,7 @@ func (s *Server) ValidateAndRetrieveAPIToken(accessToken string) (string, *APITo } if aud != s.APIEndpoint { - if !ok { - return "", nil, fmt.Errorf("failed to match expected aud: %s", s.APIEndpoint) - } + return "", nil, fmt.Errorf("failed to match expected aud: %s", s.APIEndpoint) } email, ok := claims["email"]