MEDIUM 6.8

GHSA-hcxc-wf8j-23hv

OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset

Details

## Description

OpenFGA's OIDC authenticator skipped JWT audience (`aud`) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA.

## Preconditions

This applies if the following preconditions are met:

1. You run OpenFGA with `authn.method` set to `oidc`. 2. You configured `authn.oidc.issuer` but did **not** set `authn.oidc.audience` (`--authn-oidc-audience` / `OPENFGA_AUTHN_OIDC_AUDIENCE`).

## Fix

Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in `oidc` mode unless both `authn.oidc.issuer` and `authn.oidc.audience` are set, and the `aud` claim is always validated.

## Acknowledgements

OpenFGA would like to thank https://github.com/0xVijay for the report.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/openfga/openfga

Introduced in: 0 Fixed in: 1.18.0

Fix go get github.com/openfga/openfga@v1.18.0

Details

Are you affected?

Affected packages

References