Audience Injection Vulnerability in IETF OAuth 2.0 JWT Client Authentication

A vulnerability allowing audience injection has been identified in certain IETF OAuth 2.0 specifications, specifically when the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication is used. This vulnerability arises from ambiguities in the audience values of JWTs sent to authorization servers, potentially allowing attackers to manipulate audience claims and impersonate clients. Affected specifications may include RFC 7521, RFC 7522, RFC 7523, RFC 9101 (JAR), and RFC 9126 (PAR).

Impact

Exploitation of this vulnerability allows attackers to impersonate clients by injecting malicious audience values into JWTs, which are then accepted by authorization servers. This could lead to unauthorized access to user resources.

Reproduction

To reproduce this vulnerability, an attacker must exploit the audience claim in a private key JWT assertion used for client authentication. This can be done by tricking a client into sending a JWT with an altered audience value that points to a different authorization server. Once the JWT is accepted by the targeted authorization server, the attacker can impersonate the client.

Remediation

Implementers are advised to update their handling of JWT audience claims in private key JWT assertions. Clients should be required to use the Authorization Server Issuer identifier as the audience value, and authorization servers should only accept JWTs with audience values that match their own issuer identifiers. These changes have been incorporated into the OpenID Foundation's FAPI specifications and will be included in updates to the relevant IETF OAuth specifications.