英文:
Protecting an Axum app with OpenID and Zitadel
问题
我尝试通过使用 OpenID 和 Zitadel 来保护一个 Axum 应用程序。我紧密地遵循了这个 快速入门指南 和这个 使用PKCE的认证流程。一切都运行正常,直到这一行:
let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;
它引起了以下错误:
> InvalidAudience("213170295903617281 is not a trusted audience")'
客户端允许我通过调用 required_audience_match(false)
来禁用检查,这样“解决”了问题。所以显然与受众相关的某些东西似乎有问题。我检查了源代码,并在 这一行 之前转储了可用的数据,并得到了:
受众:
受众("213170295903617281")
受众("213170529090208001@mydemo")
客户端ID: "213170529090208001@mydemo"
客户端ID是正确的,是我传递给我的客户端的。显然 Zitadel 返回了第二个客户端ID。我不知道它是从哪里来的。
阅读 openidconnect crate 的 Rust 代码,我得到的印象是,如果存在多个受众,它将始终失败,这对我来说看起来很奇怪,但我可能遗漏了什么。
对我来说看起来 Zitadel 和 openidconnect crate 在 OpenID 的工作方式上并不完全一致,或者我可能遗漏了一些我需要设置才能使其正常工作的东西。
有人可以解释第二个受众的原因以及如何处理它吗?
英文:
I try to protect an Axum application by using OpenID and Zitadel. I followed quite closely this quickstart and this authentication flow using PKCE. Everything works fine up until this line:
let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;
It causes the following error:
> InvalidAudience("213170295903617281 is not a trusted audience")'
The client allows me to disable the check by calling required_audience_match(false)
which "solves" the problem. So obviously something with the audience seems to be wrong. I checked the source code and dumped the available data just before this line and got:
Audiences:
Audience("213170295903617281")
Audience("213170529090208001@mydemo")
Client ID: "213170529090208001@mydemo"
The client id is correct and the one I passed to my client. There is obviously a second one returned by Zitadel. I don't know where it comes from.
Reading the Rust code of the openidconnect crate I came to the impression that it will always fail if there are multiple audiences, which looks odd to me, but I might be missing something.
Looks to me like Zitadel and the openidconnect crate do not fully agree on how OpenID is supposed to work or I'm missing something I have to setup to make it work properly.
Can somebody explain the reason for the second audience and how it is supposed to be handled?
答案1
得分: 1
我遇到了完全相同的问题。我注意到另一个观众与我的项目的Zitadel 资源ID完全匹配。我没有使用默认验证器或禁用验证器,而是调用了set_other_audience_verifier_fn
,并传递了一个函数,该函数检查观众是否是这两个ID之一。这解决了我的观众问题,尽管现在我收到了有关签名验证的错误("NoMatchingKey"),所以我们将看看是否可以成功验证令牌。
英文:
I was having this exact problem. I noticed that the other audience was an exact match for the Zitadel resource ID of my project. Instead of using the default verifier or disabling the verifier, I called set_other_audience_verifier_fn
, and passed it a function that checks if the audience is one of those two IDs. This solved my audience problem, though I now get an error about the signature verification ("NoMatchingKey"), so we'll see if I can successfully verify the token.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论