From ddcd419b4c4255edb103e2dc425ff912e36a12e0 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 26 Jul 2021 19:40:15 -0700
Subject: [PATCH] always validate JWT token audience (#12797)

audience for the JWT token should match
the configured client_id, this allows
rejecting valid JWTs not meant for MinIO.
---
 cmd/sts-handlers.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go
index 1af94c13a..96a6c040c 100644
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -58,6 +58,7 @@ const (
 	// JWT claim keys
 	expClaim = "exp"
 	subClaim = "sub"
+	audClaim = "aud"
 	issClaim = "iss"
 
 	// JWT claim to check the parent user
@@ -332,13 +333,25 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
+	var audFromToken string
+	if v, ok := m[audClaim]; ok {
+		audFromToken, _ = v.(string)
+	}
+
 	var subFromToken string
 	if v, ok := m[subClaim]; ok {
 		subFromToken, _ = v.(string)
 	}
 
 	if subFromToken == "" {
-		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
+			errors.New("STS JWT Token has `sub` claim missing, `sub` claim is mandatory"))
+		return
+	}
+
+	if audFromToken != globalOpenIDConfig.ClientID {
+		writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue,
+			errors.New("STS JWT Token has `aud` claim invalid, `aud` must match configured OpenID Client ID"))
 		return
 	}