fix bug with customized oidc issuer

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-04-22 05:48:04 +08:00 · 2024-09-04 09:52:08 -07:00
parent 6c4e082c18
commit 2a07de1333
5 changed files with 69 additions and 7 deletions
--- a/packages/attest/src/oidc.ts
+++ b/packages/attest/src/oidc.ts
@@ -49,10 +49,19 @@ const decodeOIDCToken = async (
  // Verify and decode token
  const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
  const {payload} = await jose.jwtVerify(token, jwks, {
-    audience: OIDC_AUDIENCE,
-    issuer
+    audience: OIDC_AUDIENCE
  })

+  if (!payload.iss) {
+    throw new Error('Missing "iss" claim')
+  }
+
+  // Check that the issuer STARTS WITH the expected issuer URL to account for
+  // the fact that the value may include an enterprise-specific slug
+  if (!payload.iss.startsWith(issuer)) {
+    throw new Error(`Unexpected "iss" claim: ${payload.iss}`)
+  }
+
  return payload
 }