Opened 5 years ago

Closed 5 years ago

#1702 closed defect (invalid)

[NGINX Plus Openid connect]:audience check failed for array type field

Reported by: chunilalkukreja@… Owned by:
Priority: critical Milestone: nginx-1.15
Component: nginx-package Version: 1.15.x
Keywords: openid Cc: chuni.kukreja@…
uname -a: Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: NGINX Plus Release 17 (R17)

Description

With nginx plus openid connect feature, if the id_token has "aud" field of type array (json array object). It fails to validate the token & returns failure.
Error Log: 2019/01/04 19:55:11 [error] 3435#3435: *2 js: OIDC ID Token validation error: missing claim(s) aud

As a workaround, if i disable the audience check from openid_connect.js script everything works fine.

Eg:
"aud": [

"https://identity.cloud.com/",
"e46481793d7744178d5df02d2e7f9a3e"

],

Other Details:
I have tested this on google cloud by creating nginx plus VM instance from marketplace which installs latest nginx mainline version.
And also have tested this on my local setup using one month nginx plus free trial.

Change History (2)

comment:1 by chunilalkukreja@…, 5 years ago

I faced this issue with 3 legged authz code flow. And i believe this issue must persists with 2 legged flow as well.

comment:2 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

This Trac is for nginx. If you have issues with OpenID Connect integration for NGINX Plus, please use corresponding github repository to report them. (Just in case, this one seems to be duplicate of https://github.com/nginxinc/nginx-openid-connect/issues/6.)

Note: See TracTickets for help on using tickets.