Add the option to validate the `iss` and `aud` claims for JWT logins. (#7827)

author: Patrick Cloke <clokep@users.noreply.github.com> 2020-07-14 07:16:43 -0400
committer: GitHub <noreply@github.com> 2020-07-14 07:16:43 -0400
commit: 77d2c054100f4b0ebe8a027d510a42ff5af09667 (patch)
tree: 8761149a62809580df445180b327db8445081569 /synapse/config
parent: Improve the type hints of synapse.api.errors. (#7820) (diff)
download: synapse-77d2c054100f4b0ebe8a027d510a42ff5af09667.tar.xz
1 files changed, 28 insertions, 0 deletions
diff --git a/synapse/config/jwt_config.py b/synapse/config/jwt_config.py
index fce96b4acf..3252ad9e7f 100644
--- a/synapse/config/jwt_config.py
+++ b/synapse/config/jwt_config.py
@@ -32,6 +32,11 @@ class JWTConfig(Config):
             self.jwt_secret = jwt_config["secret"]
             self.jwt_algorithm = jwt_config["algorithm"]
 
+            # The issuer and audiences are optional, if provided, it is asserted
+            # that the claims exist on the JWT.
+            self.jwt_issuer = jwt_config.get("issuer")
+            self.jwt_audiences = jwt_config.get("audiences")
+
             try:
                 import jwt
 
@@ -42,6 +47,8 @@ class JWTConfig(Config):
             self.jwt_enabled = False
             self.jwt_secret = None
             self.jwt_algorithm = None
+            self.jwt_issuer = None
+            self.jwt_audiences = None
 
     def generate_config_section(self, **kwargs):
         return """\
@@ -52,6 +59,9 @@ class JWTConfig(Config):
         # Each JSON Web Token needs to contain a "sub" (subject) claim, which is
         # used as the localpart of the mxid.
         #
+        # Additionally, the expiration time ("exp"), not before time ("nbf"),
+        # and issued at ("iat") claims are validated if present.
+        #
         # Note that this is a non-standard login type and client support is
         # expected to be non-existant.
         #
@@ -78,4 +88,22 @@ class JWTConfig(Config):
             # Required if 'enabled' is true.
             #
             #algorithm: "provided-by-your-issuer"
+
+            # The issuer to validate the "iss" claim against.
+            #
+            # Optional, if provided the "iss" claim will be required and
+            # validated for all JSON web tokens.
+            #
+            #issuer: "provided-by-your-issuer"
+
+            # A list of audiences to validate the "aud" claim against.
+            #
+            # Optional, if provided the "aud" claim will be required and
+            # validated for all JSON web tokens.
+            #
+            # Note that if the "aud" claim is included in a JSON web token then
+            # validation will fail without configuring audiences.
+            #
+            #audiences:
+            #    - "provided-by-your-issuer"
         """
author	Patrick Cloke <clokep@users.noreply.github.com>	2020-07-14 07:16:43 -0400
committer	GitHub <noreply@github.com>	2020-07-14 07:16:43 -0400
commit	77d2c054100f4b0ebe8a027d510a42ff5af09667 (patch)
tree	8761149a62809580df445180b327db8445081569 /synapse/config
parent	Improve the type hints of synapse.api.errors. (#7820) (diff)
download	synapse-77d2c054100f4b0ebe8a027d510a42ff5af09667.tar.xz