Opened 5 months ago

Closed 5 months ago

#1702 closed defect (invalid)

[NGINX Plus Openid connect]:audience check failed for array type field

Reported by: chunilalkukreja@… Owned by:
Priority: critical Milestone: nginx-1.15
Component: nginx-package Version: 1.15.x
Keywords: openid Cc: chuni.kukreja@…
uname -a: Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: NGINX Plus Release 17 (R17)

Description

With nginx plus openid connect feature, if the id_token has "aud" field of type array (json array object). It fails to validate the token & returns failure.
Error Log: 2019/01/04 19:55:11 [error] 3435#3435: *2 js: OIDC ID Token validation error: missing claim(s) aud

As a workaround, if i disable the audience check from openid_connect.js script everything works fine.

Eg:
"aud": [

"https://identity.cloud.com/",
"e46481793d7744178d5df02d2e7f9a3e"

],

Other Details:
I have tested this on google cloud by creating nginx plus VM instance from marketplace which installs latest nginx mainline version.
And also have tested this on my local setup using one month nginx plus free trial.

Change History (2)

comment:1 Changed 5 months ago by chunilalkukreja@…

I faced this issue with 3 legged authz code flow. And i believe this issue must persists with 2 legged flow as well.

comment:2 Changed 5 months ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

This Trac is for nginx. If you have issues with OpenID Connect integration for NGINX Plus, please use corresponding github repository to report them. (Just in case, this one seems to be duplicate of https://github.com/nginxinc/nginx-openid-connect/issues/6.)

Note: See TracTickets for help on using tickets.