fix!: add audience validation for jwt tokens

lu1as · lu1as · commit 9e749448e1c3 · 2025-10-27T22:45:22.000+01:00
diff --git a/docs/auth.md b/docs/auth.md
@@ -41,9 +41,10 @@ JWT allow granting access to a state for a given time (the token lifetime). The
 NOTE: `state` value can be set to `*` to allow accessing all project states
 
 ### Config
-| Environment Variable     | Type | Example                                      | Description                                                                       |
-|--------------------------|------|----------------------------------------------|-----------------------------------------------------------------------------------|
-| AUTH_JWT_OIDC_ISSUER_URL | bool | `https://vault.example.com/v1/identity/oidc` | Issuer URL which is used to validate token (if not defined, JWT auth is disabled) |
+| Environment Variable     | Type   | Example                                      | Description                                                                       |
+|--------------------------|--------|----------------------------------------------|-----------------------------------------------------------------------------------|
+| AUTH_JWT_OIDC_ISSUER_URL | bool   | `https://vault.example.com/v1/identity/oidc` | Issuer URL which is used to validate token (if not defined, JWT auth is disabled) |
+| AUTH_JWT_OIDC_CLIENT_ID  | string | `terraform-backend` (Default)                | Client ID (string or URI) used for validating token audience claim                |
 
 
 **Example Terraform backend configuration**
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -32,12 +32,14 @@ func Authenticate(req *http.Request, s *terraform.State) (ok bool, err error) {
 		authenticator = basic.NewBasicAuth()
 	case jwt.Name:
 		issuerURL := viper.GetString("auth_jwt_oidc_issuer_url")
+		viper.SetDefault("auth_jwt_oidc_client_id", "terraform-backend")
+		clientID := viper.GetString("auth_jwt_oidc_client_id")
 		if addr := viper.GetString("vault_addr"); issuerURL != "" && addr != "" {
 			issuerURL = fmt.Sprintf("%s/v1/identity/oidc", addr)
 		} else {
 			return false, fmt.Errorf("jwt auth is not enabled")
 		}
-		authenticator = jwt.NewJWTAuth(issuerURL)
+		authenticator = jwt.NewJWTAuth(issuerURL, clientID)
 	default:
 		err = fmt.Errorf("backend is not implemented")
 	}
diff --git a/pkg/auth/jwt/jwt.go b/pkg/auth/jwt/jwt.go
@@ -12,11 +12,13 @@ const Name = "jwt"
 
 type JWTAuth struct {
 	issuerURL string
+	clientID  string
 }
 
-func NewJWTAuth(issuerURL string) *JWTAuth {
+func NewJWTAuth(issuerURL string, clientID string) *JWTAuth {
 	return &JWTAuth{
 		issuerURL: issuerURL,
+		clientID:  clientID,
 	}
 }
 
@@ -31,7 +33,7 @@ func (b *JWTAuth) Authenticate(secret string, s *terraform.State) (bool, error)
 	}
 
 	verifier := provider.Verifier(&oidc.Config{
-		SkipClientIDCheck: true,
+		ClientID: b.clientID,
 	})
 
 	token, err := verifier.Verify(context.Background(), secret)

Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,13 @@ const Name = "jwt"`
`12`	`12`
`13`	`13`	`type JWTAuth struct {`
`14`	`14`	`issuerURL string`
	`15`	`+ clientID string`
`15`	`16`	`}`
`16`	`17`
`17`		`-func NewJWTAuth(issuerURL string) *JWTAuth {`
	`18`	`+func NewJWTAuth(issuerURL string, clientID string) *JWTAuth {`
`18`	`19`	`return &JWTAuth{`
`19`	`20`	`issuerURL: issuerURL,`
	`21`	`+ clientID: clientID,`
`20`	`22`	`}`
`21`	`23`	`}`
`22`	`24`
`@@ -31,7 +33,7 @@ func (b JWTAuth) Authenticate(secret string, s terraform.State) (bool, error)`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`verifier := provider.Verifier(&oidc.Config{`
`34`		`- SkipClientIDCheck: true,`
	`36`	`+ ClientID: b.clientID,`
`35`	`37`	`})`
`36`	`38`
`37`	`39`	`token, err := verifier.Verify(context.Background(), secret)`