feat(rp): optional authorized party check (#752)

This PR makes the default Authorized Party check in `rp.VerifyIDToken`
optional by adding an options parameter for dynamic verification
functions. This check is meant to be an optional validation requirement,
so some providers (including GCP) do not adhere to it.

See #405 for more context.

Closes #405

Author: Joerger

pkg/client/rp/relying_party_test.go

@@ -22,6 +22,7 @@ func Test_verifyTokenResponse(t *testing.T) {
 		KeySet:            tu.KeySet{},
 		MaxAge:            2 * time.Minute,
 		ACR:               tu.ACRVerify,
+		AZP:               oidc.DefaultAZPVerifier(tu.ValidClientID),
 		Nonce:             func(context.Context) string { return tu.ValidNonce },
 	}
 	tests := []struct {

pkg/client/rp/verifier.go

@@ -57,7 +57,7 @@ func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenV
 		return nilClaims, err
 	}
 
-	if err = oidc.CheckAuthorizedParty(claims, v.ClientID); err != nil {
+	if err = oidc.CheckAZPVerifier(claims, v.AZP); err != nil {
 		return nilClaims, err
 	}
 
@@ -86,6 +86,7 @@ func VerifyIDToken[C oidc.Claims](ctx context.Context, token string, v *IDTokenV
 	if err = oidc.CheckAuthTime(claims, v.MaxAge); err != nil {
 		return nilClaims, err
 	}
+
 	return claims, nil
 }
 
@@ -118,6 +119,7 @@ func NewIDTokenVerifier(issuer, clientID string, keySet oidc.KeySet, options ...
 		Nonce: func(_ context.Context) string {
 			return ""
 		},
+		AZP: oidc.DefaultAZPVerifier(clientID),
 	}
 
 	for _, opts := range options {
@@ -159,6 +161,13 @@ func WithACRVerifier(verifier oidc.ACRVerifier) VerifierOption {
 	}
 }
 
+// WithAZPVerifier sets the verifier for the azp claim
+func WithAZPVerifier(verifier oidc.AZPVerifier) VerifierOption {
+	return func(v *IDTokenVerifier) {
+		v.AZP = verifier
+	}
+}
+
 // WithAuthTimeMaxAge provides the ability to define the maximum duration between auth_time and now
 func WithAuthTimeMaxAge(maxAge time.Duration) VerifierOption {
 	return func(v *IDTokenVerifier) {

pkg/client/rp/verifier_test.go

@@ -21,6 +21,7 @@ func TestVerifyTokens(t *testing.T) {
 		KeySet:            tu.KeySet{},
 		MaxAge:            2 * time.Minute,
 		ACR:               tu.ACRVerify,
+		AZP:               oidc.DefaultAZPVerifier(tu.ValidClientID),
 		Nonce:             func(context.Context) string { return tu.ValidNonce },
 		ClientID:          tu.ValidClientID,
 	}
@@ -99,6 +100,7 @@ func TestVerifyIDToken(t *testing.T) {
 		KeySet:            tu.KeySet{},
 		MaxAge:            2 * time.Minute,
 		ACR:               tu.ACRVerify,
+		AZP:               oidc.DefaultAZPVerifier(tu.ValidClientID),
 		Nonce:             func(context.Context) string { return tu.ValidNonce },
 		ClientID:          tu.ValidClientID,
 	}
@@ -333,6 +335,7 @@ func TestNewIDTokenVerifier(t *testing.T) {
 					WithIssuedAtMaxAge(time.Hour),
 					WithNonce(nil), // otherwise assert.Equal will fail on the function
 					WithACRVerifier(nil),
+					WithAZPVerifier(nil),
 					WithAuthTimeMaxAge(2 * time.Hour),
 					WithSupportedSigningAlgorithms("ABC", "DEF"),
 				},

pkg/oidc/verifier.go

@@ -72,6 +72,7 @@ type Verifier struct {
 	SupportedSignAlgs []string
 	MaxAge            time.Duration
 	ACR               ACRVerifier
+	AZP               AZPVerifier
 	KeySet            KeySet
 	Nonce             func(ctx context.Context) string
 }
@@ -130,19 +131,43 @@ func CheckAudience(claims Claims, clientID string) error {
 	return nil
 }
 
+// AZPVerifier specifies the function to be used by the `DefaultVerifier` for validating the azp claim
+type AZPVerifier func(string) error
+
+// DefaultAZPVerifier implements `AZPVerifier` returning an error
+// if the azp claim is set and doesn't match the clientID.
+func DefaultAZPVerifier(clientID string) AZPVerifier {
+	return func(azp string) error {
+		if azp != "" && azp != clientID {
+			return fmt.Errorf("%w: azp %q must be equal to client_id %q", ErrAzpInvalid, azp, clientID)
+		}
+		return nil
+	}
+}
+
 // CheckAuthorizedParty checks azp (authorized party) claim requirements.
 //
 // If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
-// If an azp Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
+// If an azp Claim is present, the Client MAY verify that its client_id is the Claim Value.
 // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 func CheckAuthorizedParty(claims Claims, clientID string) error {
+	return CheckAZPVerifier(claims, DefaultAZPVerifier(clientID))
+}
+
+// CheckAZPVerifier checks azp (authorized party) claim requirements.
+//
+// If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
+// If an azp Claim is present, the Client MAY verify that its client_id is the Claim Value.
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+func CheckAZPVerifier(claims Claims, azp AZPVerifier) error {
 	if len(claims.GetAudience()) > 1 {
 		if claims.GetAuthorizedParty() == "" {
 			return ErrAzpMissing
 		}
 	}
-	if claims.GetAuthorizedParty() != "" && claims.GetAuthorizedParty() != clientID {
-		return fmt.Errorf("%w: azp %q must be equal to client_id %q", ErrAzpInvalid, claims.GetAuthorizedParty(), clientID)
+
+	if err := azp(claims.GetAuthorizedParty()); err != nil {
+		return fmt.Errorf("%w: %v", ErrAzpInvalid, err)
 	}
 	return nil
 }

pkg/oidc/verifier_test.go

@@ -145,6 +145,7 @@ func TestCheckAuthorizedParty(t *testing.T) {
 	tests := []struct {
 		name    string
 		claims  Claims
+		azp     AZPVerifier
 		wantErr error
 	}{
 		{
@@ -174,6 +175,17 @@ func TestCheckAuthorizedParty(t *testing.T) {
 				AuthorizedParty: clientID,
 			},
 		},
+		{
+			name: "custom azp",
+			claims: &TokenClaims{
+				Audience:        []string{"not-client-id"},
+				AuthorizedParty: clientID,
+			},
+			azp: func(s string) error {
+				// skip check.
+				return nil
+			},
+		},
 		{
 			name: "wrong azp",
 			claims: &TokenClaims{
@@ -184,7 +196,11 @@ func TestCheckAuthorizedParty(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := CheckAuthorizedParty(tt.claims, clientID)
+			azp := tt.azp
+			if azp == nil {
+				azp = DefaultAZPVerifier(clientID)
+			}
+			err := CheckAZPVerifier(tt.claims, azp)
 			assert.ErrorIs(t, err, tt.wantErr)
 		})
 	}