Skip to content

Internal JWT provider does not bind an audience by default #136

Description

@dcmcand

Reported as H-03 in the PR #117 security assessment. Distinct from #66, which covers JWKS discovery.

What

OIDCAudience is optional and empty by default:

  • operator/internal/config/config.go:35 documents empty as "no audience check".
  • operator/internal/controller/reconcilers/auth.go:268-269 only sets the JWT provider's audiences when OIDCAudience is non-empty.

So out of the box the internal endpoint's JWT check accepts any valid token from the issuer regardless of which client it was minted for. Group authorization still applies, but the token is not bound to this service's audience, so a token obtained for an unrelated Keycloak client is accepted.

Why it matters

Audience binding is what ties a token to the service it was issued for. Without it, the internal endpoint trusts any issuer-signed token that satisfies the group check, which widens the set of tokens that authenticate beyond what most operators would expect from a default install.

Fix

  • Set a sensible default audience (or make LLM_OIDC_AUDIENCE required) and document the expected client/audience wiring.
  • Confirm the Keycloak client provisioning actually issues tokens carrying that audience so the check does not lock out legitimate callers.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions