diff --git a/src/agent/client/openid.rs b/src/agent/client/openid.rs index 3a2b0f2..4abd1e5 100644 --- a/src/agent/client/openid.rs +++ b/src/agent/client/openid.rs @@ -43,7 +43,8 @@ pub struct OpenIdClient { after_logout_url: Option, /// The name of the query parameter sent to the issuer, containing the post-logout redirect URL post_logout_redirect_name: Option, - valid_audiences: Vec, + /// Additional audiences of the ID token which are considered trustworthy + additional_trusted_audiences: Vec, } /// Additional metadata read from the discovery endpoint @@ -110,17 +111,13 @@ impl Client for OpenIdClient { ClientId::new(config.client_id.clone()), None, ); - let valid_audiences = config - .additional - .valid_audiences - .unwrap_or(vec![config.client_id.clone()]); Ok(Self { client, end_session_url, after_logout_url, post_logout_redirect_name: config.additional.post_logout_redirect_name, - valid_audiences, + additional_trusted_audiences: config.additional.additional_trusted_audiences, }) } @@ -195,7 +192,9 @@ impl Client for OpenIdClient { &self .client .id_token_verifier() - .set_other_audience_verifier_fn(|aud| self.valid_audiences.contains(aud)), + .set_other_audience_verifier_fn(|aud| { + self.additional_trusted_audiences.contains(aud) + }), &Nonce::new(state.nonce), ) .map_err(|err| { diff --git a/src/config.rs b/src/config.rs index 38affa8..917aa09 100644 --- a/src/config.rs +++ b/src/config.rs @@ -29,7 +29,10 @@ pub mod openid { /// The defaults to `post_logout_redirect_uri` for OpenID RP initiated logout. /// However, e.g. older Keycloak instances require this to be `redirect_uri`. pub post_logout_redirect_name: Option, - pub valid_audiences: Option>, + /// Additional audiences of the ID token which are considered trustworthy. + /// + /// Those audiences are allowed in addition to the client ID. + pub additional_trusted_audiences: Vec, } }