[PR #4147] [CLOSED] Allow for multiple "aud" values #6315

New Issue

Closed

opened 2026-02-05 10:29:06 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 10:29:06 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/4147
Author: @the-voidl
Created: 3/31/2023
Status: ❌ Closed

Base: development ← Head: fix-multiple-audiences

---

📝 Commits (3)

• 0332cda allow for multiple "aud" values
• 67dce75 comply with openid RFC
• 60af9de fix codestyle and typos

📊 Changes

1 file changed (+5 additions, -12 deletions)

View changed files

📝 app/Auth/Access/Oidc/OidcIdToken.php (+5 -12)

📄 Description

Our oidc authentication endpoint (zitadel) returns multiple audience fields for the user and places the expected value in azp.

In OidcIdToken.php you were assuming that there can only be one audience, while RCF 7519 does not.

I added a check that allows to use azp once there are multiple aud values available in the token and the client id is found therein.

An example payload of our oicd server looks like this...:

{
  "iss": "https://oicd.example.com",
  "aud": [
    "823417009781275377@oicd",  
    "593371374829733854@oicd",
    "298754342231354326@oicd",       <--- this one is the $clientId
    "207625234567516721@oicd",
    "111111111111111111"
  ],
  "azp": "298754342231354326@oicd",   <---
  "at_hash": "h4ivntmqlr3v43_svT",
  "c_hash": "iv43lw34n4312A7af$_Vzc",

  "amr": [
    "password",
    "pwd",
    "mfa",
    "user"
  ],
  "exp": 1680264155,
  "iat": 1680260555,
  "auth_time": 1680247938,
  "email": "my.email@example.com",
  "email_verified": true,
  "family_name": "Name",
  "given_name": "GivenName",
  "name": "GivenName Name",
  "nickname": "GivenName Name",
  "preferred_username": "my.email@example.com",
  "sub": "111111111111111111",
  "updated_at": 1680255197,
  "urn:zitadel:iam:org:project:roles": {
    "admin": {
      "12345": "oicd.example.com"
    },
    "user": {
      "12345": "oicd.example.com"
    } 
  } 
}

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/4147 **Author:** [@the-voidl](https://github.com/the-voidl) **Created:** 3/31/2023 **Status:** ❌ Closed **Base:** `development` ← **Head:** `fix-multiple-audiences` --- ### 📝 Commits (3) - [`0332cda`](https://github.com/BookStackApp/BookStack/commit/0332cda9f8541ac1225deb2d39b120ec62a980e9) allow for multiple "aud" values - [`67dce75`](https://github.com/BookStackApp/BookStack/commit/67dce75fc93c02a2065d1beff74df3deb39974ca) comply with openid RFC - [`60af9de`](https://github.com/BookStackApp/BookStack/commit/60af9de9db9857ab856be4990aaf615895e3339a) fix codestyle and typos ### 📊 Changes **1 file changed** (+5 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `app/Auth/Access/Oidc/OidcIdToken.php` (+5 -12) </details> ### 📄 Description Our oidc authentication endpoint (zitadel) returns multiple audience fields for the user and places the expected value in `azp`. In `OidcIdToken.php` you were assuming that there can only be one audience, while [RCF 7519](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3) does not. I added a check that allows to use `azp` once there are multiple `aud` values available in the token and the client id is found therein. <details> <summary>An example payload of our oicd server looks like this...:</summary> ``` { "iss": "https://oicd.example.com", "aud": [ "823417009781275377@oicd", "593371374829733854@oicd", "298754342231354326@oicd", <--- this one is the $clientId "207625234567516721@oicd", "111111111111111111" ], "azp": "298754342231354326@oicd", <--- "at_hash": "h4ivntmqlr3v43_svT", "c_hash": "iv43lw34n4312A7af$_Vzc", "amr": [ "password", "pwd", "mfa", "user" ], "exp": 1680264155, "iat": 1680260555, "auth_time": 1680247938, "email": "my.email@example.com", "email_verified": true, "family_name": "Name", "given_name": "GivenName", "name": "GivenName Name", "nickname": "GivenName Name", "preferred_username": "my.email@example.com", "sub": "111111111111111111", "updated_at": 1680255197, "urn:zitadel:iam:org:project:roles": { "admin": { "12345": "oicd.example.com" }, "user": { "12345": "oicd.example.com" } } } ``` </details> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 10:29:06 +03:00

OVERLORD closed this issue 2026-02-05 10:29:07 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#6315