Reported as H-03 in the PR #117 security assessment. Distinct from #66, which covers JWKS discovery.
What
OIDCAudience is optional and empty by default:
operator/internal/config/config.go:35 documents empty as "no audience check".
operator/internal/controller/reconcilers/auth.go:268-269 only sets the JWT provider's audiences when OIDCAudience is non-empty.
So out of the box the internal endpoint's JWT check accepts any valid token from the issuer regardless of which client it was minted for. Group authorization still applies, but the token is not bound to this service's audience, so a token obtained for an unrelated Keycloak client is accepted.
Why it matters
Audience binding is what ties a token to the service it was issued for. Without it, the internal endpoint trusts any issuer-signed token that satisfies the group check, which widens the set of tokens that authenticate beyond what most operators would expect from a default install.
Fix
- Set a sensible default audience (or make
LLM_OIDC_AUDIENCE required) and document the expected client/audience wiring.
- Confirm the Keycloak client provisioning actually issues tokens carrying that audience so the check does not lock out legitimate callers.
Reported as H-03 in the PR #117 security assessment. Distinct from #66, which covers JWKS discovery.
What
OIDCAudienceis optional and empty by default:operator/internal/config/config.go:35documents empty as "no audience check".operator/internal/controller/reconcilers/auth.go:268-269only sets the JWT provider'saudienceswhenOIDCAudienceis non-empty.So out of the box the internal endpoint's JWT check accepts any valid token from the issuer regardless of which client it was minted for. Group authorization still applies, but the token is not bound to this service's audience, so a token obtained for an unrelated Keycloak client is accepted.
Why it matters
Audience binding is what ties a token to the service it was issued for. Without it, the internal endpoint trusts any issuer-signed token that satisfies the group check, which widens the set of tokens that authenticate beyond what most operators would expect from a default install.
Fix
LLM_OIDC_AUDIENCErequired) and document the expected client/audience wiring.