ext_jwt: streamline expected aud in access tokens and id tokens (#87401)

pkg/services/authn/clients/ext_jwt.go

@@ -21,25 +21,22 @@ import (
 var _ authn.Client = new(ExtendedJWT)
 
 const (
-	rfc9068ShortMediaType          = "at+jwt"
 	extJWTAuthenticationHeaderName  = "X-Access-Token"
 	extJWTAuthorizationHeaderName   = "X-Grafana-Id"
+	extJWTAccessTokenExpectAudience = "grafana"
 )
 
 func ProvideExtendedJWT(userService user.Service, cfg *setting.Cfg,
 	signingKeys signingkeys.Service) *ExtendedJWT {
 	verifier := authlib.NewAccessTokenVerifier(authlib.VerifierConfig{
 		SigningKeysURL:   cfg.ExtJWTAuth.JWKSUrl,
-		AllowedAudiences: []string{
-			cfg.ExtJWTAuth.ExpectAudience,
-		},
+		AllowedAudiences: []string{extJWTAccessTokenExpectAudience},
 	})
 
+	// For ID tokens, we explicitly do not validate audience, hence an empty AllowedAudiences
+	// Namespace claim will be checked
 	idTokenVerifier := authlib.NewIDTokenVerifier(authlib.VerifierConfig{
 		SigningKeysURL: cfg.ExtJWTAuth.JWKSUrl,
-		AllowedAudiences: []string{
-			cfg.ExtJWTAuth.ExpectAudience,
-		},
 	})
 
 	return &ExtendedJWT{

pkg/services/authn/clients/ext_jwt_test.go

@@ -38,7 +38,7 @@ var (
 		Claims: &jwt.Claims{
 			Issuer:   "http://localhost:3000",
 			Subject:  "access-policy:this-uid",
-			Audience: jwt.Audience{"http://localhost:3000"},
+			Audience: jwt.Audience{extJWTAccessTokenExpectAudience},
 			ID:       "1234567890",
 			Expiry:   jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
 			IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@@ -54,7 +54,7 @@ var (
 		Claims: &jwt.Claims{
 			Issuer:   "http://localhost:3000",
 			Subject:  "user:2",
-			Audience: jwt.Audience{"http://localhost:3000"},
+			Audience: jwt.Audience{"stack:1"},
 			ID:       "1234567890",
 			Expiry:   jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
 			IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@@ -68,7 +68,7 @@ var (
 		Claims: &jwt.Claims{
 			Issuer:   "http://localhost:3000",
 			Subject:  "access-policy:this-uid",
-			Audience: jwt.Audience{"http://localhost:3000"},
+			Audience: jwt.Audience{extJWTAccessTokenExpectAudience},
 			ID:       "1234567890",
 			Expiry:   jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
 			IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@@ -81,7 +81,7 @@ var (
 		Claims: &jwt.Claims{
 			Issuer:   "http://localhost:3000",
 			Subject:  "user:2",
-			Audience: jwt.Audience{"http://localhost:3000"},
+			Audience: jwt.Audience{"stack:1234"},
 			ID:       "1234567890",
 			Expiry:   jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
 			IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
@@ -532,7 +532,6 @@ func setupTestCtx(cfg *setting.Cfg) *testEnv {
 			ExtJWTAuth: setting.ExtJWTSettings{
 				Enabled:      true,
 				ExpectIssuer: "http://localhost:3000",
-				ExpectAudience: "http://localhost:3000",
 			},
 		}
 	}

pkg/setting/setting_jwt.go

@@ -28,7 +28,6 @@ type AuthJWTSettings struct {
 type ExtJWTSettings struct {
 	Enabled      bool
 	ExpectIssuer string
-	ExpectAudience string
 	JWKSUrl      string
 }
 
@@ -36,7 +35,6 @@ func (cfg *Cfg) readAuthExtJWTSettings() {
 	authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt")
 	jwtSettings := ExtJWTSettings{}
 	jwtSettings.Enabled = authExtendedJWT.Key("enabled").MustBool(false)
-	jwtSettings.ExpectAudience = authExtendedJWT.Key("expect_audience").MustString("")
 	jwtSettings.JWKSUrl = authExtendedJWT.Key("jwks_url").MustString("")
 	cfg.ExtJWTAuth = jwtSettings
 }