Fix bug in validation of multiple audiences

sfinnman-cotn · sfinnman-cotn · commit 43e486a9bf08 · 2025-05-27T14:44:03.000+02:00
In a situation where multiple audiences are validated by the
validator, the order of evaluation of the for-range loop
affects the result.

If we produce matches such as:

```
{
  "example.org": true,
  "example.com": false,
}
```

and we configured the validator to expect a single match on
audience, the code would either:

1. produce "token has invalid audience" if "example.org" was
evaluated first

2. produce a passing result if "example.com" was evaluated first

This commit fixes this bug, and adds a suite of tests as well
as regression tests to prevent this issue in future.
diff --git a/validator.go b/validator.go
@@ -262,11 +262,11 @@ func (v *Validator) verifyAudience(claims Claims, cmp []string, expectAllAud boo
 	// check if all expected auds are present
 	result := true
 	for _, match := range matching {
-		if !expectAllAud && match {
+		if match && !expectAllAud {
+			result = true
 			break
-		} else if !match {
-			result = false
 		}
+		result = result && match
 	}
 
 	// case where "" is sent in one or many aud claims
diff --git a/validator_test.go b/validator_test.go
@@ -261,3 +261,121 @@ func Test_Validator_verifyIssuedAt(t *testing.T) {
 		})
 	}
 }
+
+func Test_Validator_verifyAudience(t *testing.T) {
+	type fields struct {
+		expectedAud []string
+	}
+	type args struct {
+		claims       Claims
+		cmp          []string
+		expectAllAud bool
+		required     bool
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr error
+	}{
+		{
+			name:   "good without audience when expecting one aud match",
+			fields: fields{expectedAud: []string{"example.com"}},
+			args: args{
+				claims:       MapClaims{},
+				cmp:          []string{"example.com"},
+				expectAllAud: false,
+				required:     false,
+			},
+			wantErr: nil,
+		},
+		{
+			name:   "good without audience when expecting all aud matches",
+			fields: fields{expectedAud: []string{"example.com"}},
+			args: args{
+				claims:       MapClaims{},
+				cmp:          []string{"example.com"},
+				expectAllAud: true,
+				required:     false,
+			},
+			wantErr: nil,
+		},
+		{
+			name:   "audience matches",
+			fields: fields{expectedAud: []string{"example.com"}},
+			args: args{
+				claims:       RegisteredClaims{Audience: ClaimStrings{"example.com"}},
+				cmp:          []string{"example.com"},
+				expectAllAud: false,
+				required:     true,
+			},
+			wantErr: nil,
+		},
+		{
+			name:   "audience matches with one value",
+			fields: fields{expectedAud: []string{"example.org", "example.com"}},
+			args: args{
+				claims:       RegisteredClaims{Audience: ClaimStrings{"example.com"}},
+				cmp:          []string{"example.org", "example.com"},
+				expectAllAud: false,
+				required:     true,
+			},
+			wantErr: nil,
+		},
+		{
+			name:   "audience matches with all values",
+			fields: fields{expectedAud: []string{"example.org", "example.com"}},
+			args: args{
+				claims:       RegisteredClaims{Audience: ClaimStrings{"example.org", "example.com"}},
+				cmp:          []string{"example.org", "example.com"},
+				expectAllAud: true,
+				required:     true,
+			},
+			wantErr: nil,
+		},
+		{
+			name:   "audience not matching",
+			fields: fields{expectedAud: []string{"example.org", "example.com"}},
+			args: args{
+				claims:       RegisteredClaims{Audience: ClaimStrings{"example.net"}},
+				cmp:          []string{"example.org", "example.com"},
+				expectAllAud: false,
+				required:     true,
+			},
+			wantErr: ErrTokenInvalidAudience,
+		},
+		{
+			name:   "audience not matching all values",
+			fields: fields{expectedAud: []string{"example.org", "example.com"}},
+			args: args{
+				claims:       RegisteredClaims{Audience: ClaimStrings{"example.org", "example.net"}},
+				cmp:          []string{"example.org", "example.com"},
+				expectAllAud: true,
+				required:     true,
+			},
+			wantErr: ErrTokenInvalidAudience,
+		},
+		{
+			name:   "audience missing when required",
+			fields: fields{expectedAud: []string{"example.org", "example.com"}},
+			args: args{
+				claims:       MapClaims{},
+				cmp:          []string{"example.org", "example.com"},
+				expectAllAud: true,
+				required:     true,
+			},
+			wantErr: ErrTokenRequiredClaimMissing,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := &Validator{
+				expectedAud:  tt.fields.expectedAud,
+				expectAllAud: tt.args.expectAllAud,
+			}
+			if err := v.verifyAudience(tt.args.claims, tt.args.cmp, tt.args.expectAllAud, tt.args.required); (err != nil) && !errors.Is(err, tt.wantErr) {
+				t.Errorf("validator.verifyAudience() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -262,11 +262,11 @@ func (v *Validator) verifyAudience(claims Claims, cmp []string, expectAllAud boo`
`262`	`262`	`// check if all expected auds are present`
`263`	`263`	`result := true`
`264`	`264`	`for _, match := range matching {`
`265`		`- if !expectAllAud && match {`
	`265`	`+ if match && !expectAllAud {`
	`266`	`+ result = true`
`266`	`267`	`break`
`267`		`- } else if !match {`
`268`		`- result = false`
`269`	`268`	`}`
	`269`	`+ result = result && match`
`270`	`270`	`}`
`271`	`271`
`272`	`272`	`// case where "" is sent in one or many aud claims`