使用OpenID和Zitadel保护Axum应用程序

huangapple go评论62阅读模式
英文:

Protecting an Axum app with OpenID and Zitadel

问题

我尝试通过使用 OpenIDZitadel 来保护一个 Axum 应用程序。我紧密地遵循了这个 快速入门指南 和这个 使用PKCE的认证流程。一切都运行正常,直到这一行:

let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;

它引起了以下错误:

> InvalidAudience("213170295903617281 is not a trusted audience")'

客户端允许我通过调用 required_audience_match(false) 来禁用检查,这样“解决”了问题。所以显然与受众相关的某些东西似乎有问题。我检查了源代码,并在 这一行 之前转储了可用的数据,并得到了:

受众:
  受众("213170295903617281")
  受众("213170529090208001@mydemo")
客户端ID: "213170529090208001@mydemo"

客户端ID是正确的,是我传递给我的客户端的。显然 Zitadel 返回了第二个客户端ID。我不知道它是从哪里来的。

阅读 openidconnect crate 的 Rust 代码,我得到的印象是,如果存在多个受众,它将始终失败,这对我来说看起来很奇怪,但我可能遗漏了什么。

对我来说看起来 Zitadel 和 openidconnect crate 在 OpenID 的工作方式上并不完全一致,或者我可能遗漏了一些我需要设置才能使其正常工作的东西。

有人可以解释第二个受众的原因以及如何处理它吗?

英文:

I try to protect an Axum application by using OpenID and Zitadel. I followed quite closely this quickstart and this authentication flow using PKCE. Everything works fine up until this line:

let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;

It causes the following error:

> InvalidAudience("213170295903617281 is not a trusted audience")'

The client allows me to disable the check by calling required_audience_match(false) which "solves" the problem. So obviously something with the audience seems to be wrong. I checked the source code and dumped the available data just before this line and got:

Audiences:
  Audience("213170295903617281")
  Audience("213170529090208001@mydemo")
Client ID: "213170529090208001@mydemo"

The client id is correct and the one I passed to my client. There is obviously a second one returned by Zitadel. I don't know where it comes from.

Reading the Rust code of the openidconnect crate I came to the impression that it will always fail if there are multiple audiences, which looks odd to me, but I might be missing something.

Looks to me like Zitadel and the openidconnect crate do not fully agree on how OpenID is supposed to work or I'm missing something I have to setup to make it work properly.

Can somebody explain the reason for the second audience and how it is supposed to be handled?

答案1

得分: 1

我遇到了完全相同的问题。我注意到另一个观众与我的项目的Zitadel 资源ID完全匹配。我没有使用默认验证器或禁用验证器,而是调用了set_other_audience_verifier_fn,并传递了一个函数,该函数检查观众是否是这两个ID之一。这解决了我的观众问题,尽管现在我收到了有关签名验证的错误("NoMatchingKey"),所以我们将看看是否可以成功验证令牌。

英文:

I was having this exact problem. I noticed that the other audience was an exact match for the Zitadel resource ID of my project. Instead of using the default verifier or disabling the verifier, I called set_other_audience_verifier_fn, and passed it a function that checks if the audience is one of those two IDs. This solved my audience problem, though I now get an error about the signature verification ("NoMatchingKey"), so we'll see if I can successfully verify the token.

huangapple
  • 本文由 发表于 2023年5月10日 19:24:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/76217815.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定