traefik plugin 0.7.7 (#73)

* Automatic discovery of the scopes. Issue #61 raised very valid concerns about users configuring scopes that are not supported by the provider. This change introduces automatic discovery of supported scopes by fetching the provider's discovery document and filtering out unsupported scopes. Before: User configures: scopes: ["openid", "profile", "email", "offline_access"] Self-hosted GitLab: "The requested scope is invalid, unknown, or malformed" Authentication: ❌ FAILS After: User configures: scopes: ["openid", "profile", "email", "offline_access"] Middleware checks discovery doc → offline_access not supported Automatically filters to: ["openid", "profile", "email"] Authentication: ✅ SUCCEEDS * Resolves issue #74 by enabling user to specify expected audience in the configuration. * Fix flaky tests.
2026-06-05 22:44:17 +00:00 · 2025-10-08 11:44:00 +01:00
parent 79d34ea4c9
commit bde1db1c3b
29 changed files with 3214 additions and 85 deletions
@@ -27,13 +27,19 @@ type TemplatedHeader struct {
 // It provides all necessary settings to configure OpenID Connect authentication
 // with various providers like Auth0, Logto, or any standard OIDC provider.
 type Config struct {
-	HTTPClient                *http.Client           `json:"-"`
-	OIDCEndSessionURL         string                 `json:"oidcEndSessionURL"`
-	CookieDomain              string                 `json:"cookieDomain"`
-	CallbackURL               string                 `json:"callbackURL"`
-	LogoutURL                 string                 `json:"logoutURL"`
-	ClientID                  string                 `json:"clientID"`
-	ClientSecret              string                 `json:"clientSecret"`
+	HTTPClient        *http.Client `json:"-"`
+	OIDCEndSessionURL string       `json:"oidcEndSessionURL"`
+	CookieDomain      string       `json:"cookieDomain"`
+	CallbackURL       string       `json:"callbackURL"`
+	LogoutURL         string       `json:"logoutURL"`
+	ClientID          string       `json:"clientID"`
+	ClientSecret      string       `json:"clientSecret"`
+	// Audience specifies the expected JWT audience claim value.
+	// If not set, defaults to ClientID for backward compatibility.
+	// For Auth0 API access tokens with custom audiences, set this to your API identifier.
+	// For Azure AD with Application ID URI, set to "api://your-app-id".
+	// Security: This value is validated against the JWT aud claim to prevent token confusion attacks.
+	Audience                  string                 `json:"audience,omitempty"`
 	PostLogoutRedirectURI     string                 `json:"postLogoutRedirectURI"`
 	LogLevel                  string                 `json:"logLevel"`
 	SessionEncryptionKey      string                 `json:"sessionEncryptionKey"`
@@ -268,6 +274,29 @@ func (c *Config) Validate() error {
 		return fmt.Errorf("refreshGracePeriodSeconds cannot be negative")
 	}

+	// Validate audience if specified
+	if c.Audience != "" {
+		// Validate audience format - should be a valid identifier or URL
+		if len(c.Audience) > 256 {
+			return fmt.Errorf("audience must not exceed 256 characters")
+		}
+
+		// If audience looks like a URL, validate it's HTTPS
+		if strings.HasPrefix(c.Audience, "http://") {
+			return fmt.Errorf("audience URL must use HTTPS, not HTTP")
+		}
+
+		// Prevent wildcard audiences which could weaken security
+		if strings.Contains(c.Audience, "*") {
+			return fmt.Errorf("audience must not contain wildcards")
+		}
+
+		// Validate that audience doesn't contain obvious injection patterns
+		if strings.ContainsAny(c.Audience, "\n\r\t\x00") {
+			return fmt.Errorf("audience contains invalid characters")
+		}
+	}
+
 	// Validate headers configuration for template security
 	for _, header := range c.Headers {
 		if header.Name == "" {