OIDC audience validation skipped when --authn-oidc-audience is unset
Summary
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication (authn.method=oidc, authn.oidc.issuer set) but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result, a validly-signed OIDC access token issued by the same identity provider for a completely different, unrelated application can be accepted by OpenFGA as a valid credential, allowing an attacker holding such a token to authenticate to OpenFGA and perform unauthorized authorization queries or writes. An attacker who can obtain such a token, for example one issued to a lower-privileged or unrelated application at the same IdP, could use it to authenticate to OpenFGA and perform authorization queries or writes they should not be permitted to make. This flaw only affects deployments that explicitly enable OpenFGA's OIDC authentication method and leave --authn-oidc-audience unset.
- < 1.18.0
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Administrators running OpenFGA with OIDC authentication enabled should set --authn-oidc-audience to the expected audience value for their deployment, restricting accepted tokens to those issued for OpenFGA itself. Upgrading to OpenFGA 1.18.0 or later, which restores audience validation by default, is the preferred long-term remediation.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.