add iss check to oidc auth resp flow

allisonlarson · allisonlarson · commit 7acf6e0ac155 · 2025-11-28T15:47:52.000-08:00
diff --git a/api/acl.go b/api/acl.go
@@ -1232,6 +1232,8 @@ type ACLOIDCCompleteAuthRequest struct {
 	State       string
 	Code        string
 
+	Iss string
+
 	// RedirectURI is the URL that authorization should redirect to. This is a
 	// required parameter.
 	RedirectURI string
diff --git a/command/login.go b/command/login.go
@@ -256,6 +256,7 @@ func (l *LoginCommand) loginOIDC(ctx context.Context, client *api.Client) (*api.
 		ClientNonce:    callbackServer.Nonce(),
 		Code:           req.Code,
 		State:          req.State,
+		Iss:            req.Iss,
 	}
 
 	token, _, err := client.ACLAuth().CompleteAuth(&cbArgs, nil)
diff --git a/lib/auth/oidc/server.go b/lib/auth/oidc/server.go
@@ -87,6 +87,7 @@ func (s *CallbackServer) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		State:       q.Get("state"),
 		ClientNonce: s.clientNonce,
 		Code:        q.Get("code"),
+		Iss:         q.Get("iss"),
 	}
 
 	// Send our result. We don't block here because the channel should be
diff --git a/nomad/acl_endpoint.go b/nomad/acl_endpoint.go
@@ -2767,6 +2767,20 @@ func (a *ACL) OIDCCompleteAuth(
 		return fmt.Errorf("failed to generate OIDC provider: %v", err)
 	}
 
+	// Check if the OIDC provider requires the `iss` parameter to be
+	// validated
+	providerMetadata := struct {
+		AuthorizationResponseIssParameterSupported bool `json:"authorization_response_iss_parameter_supported"`
+	}{}
+	if err := oidcProvider.Claims(&providerMetadata); err != nil {
+		return fmt.Errorf("failed to retrieve OIDC provider metadata: %v", err)
+	}
+	if providerMetadata.AuthorizationResponseIssParameterSupported {
+		if args.Iss == "" || args.Iss != authMethod.Config.OIDCDiscoveryURL {
+			return structs.NewErrRPCCodedf(http.StatusBadRequest, "invalid or missing iss parameter")
+		}
+	}
+
 	// Retrieve the request generated in OIDCAuthURL()
 	oidcReq := a.oidcRequestCache.LoadAndDelete(args.ClientNonce) // I am so done with this NONCENSE
 	if oidcReq == nil {
diff --git a/nomad/structs/acl.go b/nomad/structs/acl.go
@@ -2350,6 +2350,7 @@ type ACLOIDCCompleteAuthRequest struct {
 	ClientNonce string
 	State       string
 	Code        string
+	Iss         string
 
 	// RedirectURI is the URL that authorization should redirect to. This is a
 	// required parameter.

Original file line number	Diff line number	Diff line change
`@@ -256,6 +256,7 @@ func (l LoginCommand) loginOIDC(ctx context.Context, client api.Client) (*api.`
`256`	`256`	`ClientNonce: callbackServer.Nonce(),`
`257`	`257`	`Code: req.Code,`
`258`	`258`	`State: req.State,`
	`259`	`+ Iss: req.Iss,`
`259`	`260`	`}`
`260`	`261`
`261`	`262`	`token, _, err := client.ACLAuth().CompleteAuth(&cbArgs, nil)`
Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,7 @@ func (s CallbackServer) ServeHTTP(w http.ResponseWriter, req http.Request) {`
`87`	`87`	`State: q.Get("state"),`
`88`	`88`	`ClientNonce: s.clientNonce,`
`89`	`89`	`Code: q.Get("code"),`
	`90`	`+ Iss: q.Get("iss"),`
`90`	`91`	`}`
`91`	`92`
`92`	`93`	`// Send our result. We don't block here because the channel should be`