From 1cbaf4eea32004b2594265a5f698843987e6de39 Mon Sep 17 00:00:00 2001
From: XakepSDK <XakepSDK@users.noreply.github.com>
Date: Thu, 25 Apr 2024 20:05:53 +0500
Subject: [PATCH] [FIX OpenID validate issuer and aud (#710)

Co-authored-by: d3coder <admin@xakeps.dk>
---
 .../launchserver/auth/core/openid/OpenIDAuthenticator.java   | 5 ++++-
 .../gravit/launchserver/auth/core/openid/OpenIDConfig.java   | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDAuthenticator.java b/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDAuthenticator.java
index 3488e1c3..29870c32 100644
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDAuthenticator.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDAuthenticator.java
@@ -36,7 +36,10 @@ public class OpenIDAuthenticator {
     public OpenIDAuthenticator(OpenIDConfig openIDConfig) {
         this.openIDConfig = openIDConfig;
         var keyLocator = loadKeyLocator(openIDConfig);
-        this.jwtParser = Jwts.parser().keyLocator(keyLocator)
+        this.jwtParser = Jwts.parser()
+                .keyLocator(keyLocator)
+                .requireIssuer(openIDConfig.issuer())
+                .requireAudience(openIDConfig.clientId())
                 .build();
     }
 
diff --git a/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDConfig.java b/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDConfig.java
index 395f2046..2d4f3bae 100644
--- a/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDConfig.java
+++ b/LaunchServer/src/main/java/pro/gravit/launchserver/auth/core/openid/OpenIDConfig.java
@@ -3,7 +3,8 @@
 import java.net.URI;
 
 public record OpenIDConfig(URI tokenUri, String authorizationEndpoint, String clientId, String clientSecret,
-                           String redirectUri, URI jwksUri, String scopes, ClaimExtractorConfig extractorConfig) {
+                           String redirectUri, URI jwksUri, String scopes, String issuer,
+                           ClaimExtractorConfig extractorConfig) {
 
     public record ClaimExtractorConfig(String usernameClaim, String uuidClaim) {}
 }