Summary
IdTokenClaimsValidator skips aud
claim validation if token is issued by same identity issuer/provider.
Details
See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202
This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
Workaround exists by setting micronaut.security.token.jwt.claims-validators.audience
with valid values.
micronaut.security.token.jwt.claims-validators.openid-idtoken
can be kept as default on.
PoC
Should probably be:
return issuer.equalsIgnoreCase(iss) &&
audiences.contains(clientId) &&
validateAzp(claims, clientId, audiences);
Impact
Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.
Mitigation
Please upgrade to a patched micronaut-security-oauth2
release as soon as possible.
If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of IdTokenClaimsValidatorReplacement
package cve;
import io.micronaut.context.annotation.Replaces;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.util.StringUtils;
import io.micronaut.security.config.SecurityConfigurationProperties;
import io.micronaut.security.oauth2.client.IdTokenClaimsValidator;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;
import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
import io.micronaut.security.token.jwt.validator.JwtClaimsValidatorConfigurationProperties;
import javax.inject.Singleton;
import java.net.URL;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
@Requires(property = SecurityConfigurationProperties.PREFIX + ".authentication", value = "idtoken")
@Requires(property = JwtClaimsValidatorConfigurationProperties.PREFIX + ".openid-idtoken", notEquals = StringUtils.FALSE)
@Singleton
@Replaces(IdTokenClaimsValidator.class)
public class IdTokenClaimsValidatorReplacement extends IdTokenClaimsValidator {
public IdTokenClaimsValidatorReplacement(Collection<OauthClientConfiguration> oauthClientConfigurations) {
super(oauthClientConfigurations);
}
@Override
protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims,
@NonNull String iss,
@NonNull List<String> audiences,
@NonNull String clientId,
@NonNull OpenIdClientConfiguration openIdClientConfiguration) {
if (openIdClientConfiguration.getIssuer().isPresent()) {
Optional<URL> issuerOptional = openIdClientConfiguration.getIssuer();
if (issuerOptional.isPresent()) {
String issuer = issuerOptional.get().toString();
return issuer.equalsIgnoreCase(iss) &&
audiences.contains(clientId) &&
validateAzp(claims, clientId, audiences);
}
}
return false;
}
}
``
### References
- https://github.com/micronaut-projects/micronaut-security/security/advisories/GHSA-qw22-8w9r-864h
- https://github.com/micronaut-projects/micronaut-security/commit/9728b925221a0d87798ccf250657a3c214b7e980
- https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202
- https://nvd.nist.gov/vuln/detail/CVE-2023-36820
Summary
IdTokenClaimsValidator skips
aud
claim validation if token is issued by same identity issuer/provider.Details
See https://github.com/micronaut-projects/micronaut-security/blob/master/security-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java#L202
This logic violates point 3 of https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
Workaround exists by setting
micronaut.security.token.jwt.claims-validators.audience
with valid values.micronaut.security.token.jwt.claims-validators.openid-idtoken
can be kept as default on.PoC
Should probably be:
Impact
Any OIDC setup using Micronaut where multiple OIDC applications exists for the same issuer but token auth are not meant to be shared.
Mitigation
Please upgrade to a patched
micronaut-security-oauth2
release as soon as possible.If you cannot upgrade, for example, if you are still using Micronaut Framework 2, you can patch your application by creating a replacement of
IdTokenClaimsValidatorReplacement