Public bug reported:
Description: Ubuntu 24.04.1 LTS
Release: 24.04
dovecot-core/noble-updates 1:2.3.21+dfsg1-2ubuntu6.1
On Ubuntu’s Dovecot build, local OAuth2/JWT validation fails if the JWT
aud claim is a JSON array. Dovecot logs:
Local validation failed: client_id set but aud is missing
This happens even though aud is present (as an array):
{ "aud": ["dovecot", "https://checkin.thga.de";], ... }
Upstream Dovecot release-2.3.21 uses an array-aware accessor:
get_field_multiple(tree, "aud")
Source: src/lib-oauth2/oauth2-jwt.c (release-2.3.21 branch)
But Ubuntu appears to be built from code corresponding to the 2.3.21 tag
where it uses:
get_field(tree, "aud")
Source: src/lib-oauth2/oauth2-jwt.c (2.3.21 tag)
With get_field(), aud arrays are not handled, so aud is treated as
missing.
** Affects: dovecot (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142200
Title:
dovecot-core: OAuth2 JWT validation fails with client_id set but aud
is missing when aud claim is an array
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2142200/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
