Skip to content

feat: Enable global disabling of verifying client id against aud on jwt#844

Open
philipgough wants to merge 1 commit intoobservatorium:mainfrom
philipgough:aud-check
Open

feat: Enable global disabling of verifying client id against aud on jwt#844
philipgough wants to merge 1 commit intoobservatorium:mainfrom
philipgough:aud-check

Conversation

@philipgough
Copy link
Contributor

@philipgough philipgough commented Oct 31, 2025

No description provided.

@squat
Copy link
Member

squat commented Oct 31, 2025

What is the use-case here? Does this resolve any outstanding issues?
I've seen people ask for something like this before, but most of the time, disabling this is wrong and is simply a way to bypass a misconfiguration in infrastructure.

For more complex auth scenarios where Observatorium is a middleman, the IdP should be configured to return a list of valid client IDs in the aud claim so we can verify that our token is in the list. Without this check, we run the risk of hitting well-known security holes where tokens are forwarded to apps that they were not intended for, resulting in privilege escalation.

The OIDC spec is really clear that the aud claim needs to be checked and MUST include the client ID.
In general, skirting around security best practices is concerning to me and if we were to go through with this, I think we should add a clear warning by renaming the flag to be something like --insecure-oidc.skip-client-id-check, as go projects often do with insecure-skip-verify

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@philipgough @squat