Merge Granted Audience into ID Token #8619
Description
Version
v4.38.18
Deployment Method
Kubernetes
Reverse Proxy
NGINX
Reverse Proxy Version
4.12.0
Description
We are encountering an issue where, during the OIDC authorization flow in Authelia, the JWT token returned does not contain both the configured audience values. Specifically, when requesting a token for the OAuth2 Proxy client and passing the Kubernetes API client ID as the audience parameter, the returned JWT token only contains the original OAuth2 Proxy client ID in the aud field, rather than both client IDs as expected.
Reproduction
- Define two clients in Authelia configuration:
- Kubernetes API Client
client_name: Kubernetes API
client_id: '{{ env "KUBERNETES_OIDC_CLIENT_ID" }}'
client_secret: '{{ env "KUBERNETES_OIDC_CLIENT_HASHED_SECRET" }}'
public: false
grant_types: [authorization_code, refresh_token]
pre_configured_consent_duration: 1y
consent_mode: implicit
response_types:
["code", "code id_token", "code token", "code id_token token"]
redirect_uris: ["http://localhost:8000"]
scopes: [openid, profile, email, groups, offline_access]- OAuth2 Proxy Client:
client_name: OAuth2 Proxy
client_id: '{{ env "OAUTH2_PROXY_OIDC_CLIENT_ID" }}'
client_secret: '{{ env "OAUTH2_PROXY_OIDC_CLIENT_HASHED_SECRET" }}'
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
consent_mode: implicit
redirect_uris:
[
"https://dashboard.${SECRET_DOMAIN_0}/oauth2/callback",
"https://openidconnect.net/callback",
]
scopes: [openid, profile, email, groups]
userinfo_signed_response_alg: none
token_endpoint_auth_method: client_secret_post
audience:
- '{{ env "KUBERNETES_OIDC_CLIENT_ID" }}'
- '{{ env "OAUTH2_PROXY_OIDC_CLIENT_ID" }}'
requested_audience_mode: implicit- During the authorization flow, request a token for the OAuth2 Proxy client and pass the Kubernetes API client ID as the audience parameter:
https://auth.example.com/api/oidc/authorization?
client_id=REDACTED_OAUTH2_PROXY_CLIENT_ID
&redirect_uri=https://openidconnect.net/callback
&scope=openid profile email groups
&response_type=code
&state=REDACTED_STATE
&audience=REDACTED_KUBERNETES_API_CLIENT_ID
Expectations
Expected Behavior: The JWT token returned should contain both the Kubernetes API and OAuth2 Proxy client IDs in the aud field, as these are the configured audience values for the OAuth2 Proxy client.
Actual Behavior: The returned JWT token only includes the OAuth2 Proxy client ID in the aud field, as shown below:
{
"amr": [
"pwd",
"sms",
"mfa",
"mca"
],
"at_hash": "<redacted>",
"aud": [
"REDACTED_OAUTH2_CLIENT_ID"
],
"auth_time": 1737674216,
"azp": "REDACTED_OAUTH2_CLIENT_ID",
"client_id": "REDACTED_OAUTH2_CLIENT_ID",
"email": "<redacted>",
"email_verified": true,
"exp": 1737677822,
"groups": [
"<redacted_groups>"
],
"iat": 1737674222,
"iss": "https://auth.example.com",
"jti": "<redacted>",
"name": "<redacted>",
"preferred_username": "<redacted>",
"sub": "<redacted>"
}I wonder if the issue might be related to how the audience parameter is being processed during the authorization flow. It's possible that only the first audience value is being applied, or maybe there's an issue with handling multiple audience values. Please let me know if I've misunderstood anything or if there's something else I should be considering!
Build Information
Last Tag: v4.38.18
State: tagged clean
Branch: v4.38.18
Commit: 271239b95198b658f3b269b91f78bfaca4d04fe4
Build Number: 37797
Build OS: linux
Build Arch: amd64
Build Compiler: gc
Build Date: Wed, 01 Jan 2025 16:29:43 +1100
Extra:
Go:
Version: go1.23.3
Module Path: github.com/authelia/authelia/v4
Executable Path: github.com/authelia/authelia/v4/cmd/autheliaLogs (Authelia)
chown: /config/secret/..2025_01_23_23_15_33.1649288471/secretKey: Read-only file system
chown: /config/secret/..2025_01_23_23_15_33.1649288471: Read-only file system
chown: /config/secret/..2025_01_23_23_15_33.1649288471: Read-only file system
chown: /config/secret/..data: Read-only file system
chown: /config/secret/secretKey: Read-only file system
chown: /config/secret: Read-only file system
chown: /config/secret: Read-only file system
chown: /config/..2025_01_23_23_15_33.3462547562/configuration.yaml: Read-only file system
chown: /config/..2025_01_23_23_15_33.3462547562: Read-only file system
chown: /config/..2025_01_23_23_15_33.3462547562: Read-only file system
chown: /config/..data: Read-only file system
chown: /config/configuration.yaml: Read-only file system
chown: /config: Read-only file system
chown: /config: Read-only file system
time="2025-01-23T23:15:36Z" level=debug msg="Loaded Configuration Sources" files="[/config/configuration.yaml]" filters="[template]"
time="2025-01-23T23:15:36Z" level=debug msg="Logging Initialized" fields.level=debug file= format= keep_stdout=false
time="2025-01-23T23:15:36Z" level=debug msg="Process user information" gid=0 gids="1,2,3,4,6,10,11,20,26,27" name=root uid=0 username=root
time="2025-01-23T23:15:36Z" level=info msg="Authelia v4.38.18 is starting"
time="2025-01-23T23:15:36Z" level=info msg="Log severity set to debug"
time="2025-01-23T23:15:36Z" level=debug msg="Registering client <REDACTED_OAUTH2_PROXY_CLIENT_ID> with policy two_factor (two_factor)"
time="2025-01-23T23:15:36Z" level=debug msg="Registering client <REDACTED_KUBERNETES_API_CLIENT_ID> with policy two_factor (two_factor)"
time="2025-01-23T23:15:36Z" level=info msg="Storage schema is being checked for updates"
time="2025-01-23T23:15:36Z" level=info msg="Storage schema is already up to date"
time="2025-01-23T23:15:36Z" level=debug msg="LDAP Supported OIDs. Control Types: none. Extensions: 1.3.6.1.4.1.4203.1.11.1"
time="2025-01-23T23:15:36Z" level=debug msg="Create Server Service (metrics) skipped"
time="2025-01-23T23:15:36Z" level=info msg="Startup complete"
time="2025-01-23T23:15:36Z" level=info msg="Listening for non-TLS connections on '[::]:9091' path '/'" server=main service=server
time="2025-01-23T23:16:37Z" level=debug msg="Authorization Request with id '67066c95-4370-492d-9443-3d220738adef' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' is being processed" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:47Z" level=debug msg="Mark 1FA authentication attempt made by user '<USER>'" method=POST path=/api/firstfactor remote_ip=10.5.5.2
time="2025-01-23T23:16:47Z" level=debug msg="Successful 1FA authentication attempt made by user '<USER>'" method=POST path=/api/firstfactor remote_ip=10.5.5.2
time="2025-01-23T23:16:48Z" level=debug msg="Authorization Request with id '6236ae05-3628-4e15-9281-84eaa9ef820c' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' is being processed" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:48Z" level=debug msg="Authorization Request with id '6236ae05-3628-4e15-9281-84eaa9ef820c' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' using consent mode 'implicit' proceeding to generate a new consent session" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:48Z" level=debug msg="Authorization Request with id '6236ae05-3628-4e15-9281-84eaa9ef820c' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' using consent mode 'implicit' authentication level 'one_factor' is insufficient for client level 'two_factor'" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:48Z" level=debug msg="Authorization Request with id '6236ae05-3628-4e15-9281-84eaa9ef820c' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' using consent mode 'implicit' is being redirected to 'https://auth.example.com/?workflow=openid_connect&workflow_id=e867ec79-bd80-459a-abe7-ba5b75364d41'" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:50Z" level=debug msg="Starting Duo PreAuth to check preferred device of user: <USER>" method=POST path=/api/secondfactor/duo remote_ip=10.5.5.2
time="2025-01-23T23:16:51Z" level=debug msg="Starting Duo Auth attempt for <USER> with device <DEVICE> and method push from IP 10.5.5.2" method=POST path=/api/secondfactor/duo remote_ip=10.5.5.2
time="2025-01-23T23:16:56Z" level=debug msg="Mark Duo authentication attempt made by user '<USER>'" method=POST path=/api/secondfactor/duo remote_ip=10.5.5.2
time="2025-01-23T23:16:56Z" level=debug msg="Successful Duo authentication attempt made by user '<USER>'" method=POST path=/api/secondfactor/duo remote_ip=10.5.5.2
time="2025-01-23T23:16:58Z" level=debug msg="Authorization Request with id 'b9f556de-b057-41a9-8e4c-5b239c003792' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' is being processed" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:16:58Z" level=debug msg="Authorization Request with id 'b9f556de-b057-41a9-8e4c-5b239c003792' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' using policy 'two_factor' was successfully processed for user '<USER>' with groups: [<GROUPS>], proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=10.5.5.2
time="2025-01-23T23:17:02Z" level=debug msg="Access Request with id 'b9f556de-b057-41a9-8e4c-5b239c003792' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' is being processed" method=POST path=/api/oidc/token remote_ip=<redacted_ip>
time="2025-01-23T23:17:02Z" level=debug msg="Access Request with id 'b9f556de-b057-41a9-8e4c-5b239c003792' on client with id '<REDACTED_OAUTH2_PROXY_CLIENT_ID>' has successfully been processed" method=POST path=/api/oidc/token remote_ip=<redacted_ip>Generative AI
Yes
Pre-Submission Checklist
-
I agree to follow the Code of Conduct
-
This is a bug report and not a support request
-
I have read the security policy and this bug report is not a security issue or security related issue
-
I have either included the complete configuration file or I am sure it's unrelated to the configuration
-
I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant
-
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide
-
I have checked for related proxy or application logs and included them if available
-
I have checked for related issues and checked the documentation