Oxia OIDC Authentication Audience Validation Bypass Vulnerability

A vulnerability in Oxia, a metadata store and coordination system, allows for audience validation bypass in OpenID Connect (OIDC) authentication. Prior to version 0.16.2, the OIDC authentication provider automatically set SkipClientIDCheck to true, disabling standard validation of the audience claim at the library level. This flaw permitted tokens issued for different services by the same OIDC issuer to be accepted by Oxia, undermining the intended audience isolation of OAuth2/OIDC.

Impact

Exploitation of this vulnerability allows an attacker to authenticate to Oxia using a valid JWT token issued by the same identity provider but intended for a different service. This bypasses the audience validation, enabling unauthorized access.

Remediation

The vulnerability has been fixed in Oxia version 0.16.2. Users should upgrade to this version. Additionally, it is recommended to ensure network-level isolation so that only trusted services can access the Oxia gRPC endpoints.