oidc: Remove "aud" claim validation of logout tokens (#6156)

The "aud" claim of the logout token is supposed to contain the client-id of the client for which the token was issued. Our current implementation of validating that claim is somewhat broken. We only allow to configure a single value for the allowed client id. But we have different client-ids accessing oCIS. This completely removes the current validation of the `aud` claim until we come up with a working solution. As we currently require a session id to be present in the logout token the risk not validating the `aud` claim is pretty low. Related: #6149
2026-03-07 21:40:11 -06:00 · 2023-04-27 10:34:09 +02:00
parent 8d06b293b4
commit b7990875c1
6 changed files with 2 additions and 111 deletions
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -87,8 +87,6 @@ func Server(cfg *config.Config) *cli.Command {
 				oidc.WithHTTPClient(oidcHTTPClient),
 				oidc.WithOidcIssuer(cfg.OIDC.Issuer),
 				oidc.WithJWKSOptions(cfg.OIDC.JWKS),
-				oidc.WithClientID(cfg.OIDC.ClientID),
-				oidc.WithSkipClientIDCheck(cfg.OIDC.SkipClientIDCheck),
 			)

 			var (
--- a/services/proxy/pkg/config/config.go
+++ b/services/proxy/pkg/config/config.go
@@ -108,8 +108,6 @@ type OIDC struct {
 	UserinfoCache           *Cache `yaml:"user_info_cache"`
 	JWKS                    JWKS   `yaml:"jwks"`
 	RewriteWellKnown        bool   `yaml:"rewrite_well_known" env:"PROXY_OIDC_REWRITE_WELLKNOWN" desc:"Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider."`
-	ClientID                string `yaml:"client_id" env:"OCIS_OIDC_CLIENT_ID;PROXY_OIDC_CLIENT_ID" desc:"OIDC client ID, which ownCloud Web uses. This client needs to be set up in your external IDP (has no effect when using the builtin IDP)."`
-	SkipClientIDCheck       bool   `yaml:"skip_client_id_check" env:"PROXY_OIDC_SKIP_CLIENT_ID_CHECK" desc:"If true will skip checking the configured client ID is present in audience claims. See following chapter for more details: https://openid.net/specs/openid-connect-core-1_0.html#IDToken"`
 }

 type JWKS struct {
--- a/services/proxy/pkg/config/defaults/defaultconfig.go
+++ b/services/proxy/pkg/config/defaults/defaultconfig.go
@@ -53,7 +53,6 @@ func DefaultConfig() *config.Config {
 				RefreshTimeout:    10, // seconds
 				RefreshUnknownKID: true,
 			},
-			ClientID: "web",
 		},
 		PolicySelector: nil,
 		RoleAssignment: config.RoleAssignment{