Add option to require a valid aceess token audience

ragnard · ragnard · commit 69e3bee80eeb · 2025-12-06T10:56:57.000+01:00
diff --git a/core/trino-main/src/main/java/io/trino/server/security/oauth2/NimbusOAuth2Client.java b/core/trino-main/src/main/java/io/trino/server/security/oauth2/NimbusOAuth2Client.java
@@ -117,15 +117,26 @@ public NimbusOAuth2Client(OAuth2Config oauthConfig, OAuth2ServerConfigProvider s
         principalField = oauthConfig.getPrincipalField();
         maxClockSkew = oauthConfig.getMaxClockSkew();
         jwtType = oauthConfig.getJwtType();
-
-        accessTokenAudiences = new HashSet<>(oauthConfig.getAdditionalAudiences());
-        accessTokenAudiences.add(clientId.getValue());
-        accessTokenAudiences.add(null); // A null value in the set allows JWTs with no audience
+        accessTokenAudiences = getAccessTokenAudiences(oauthConfig);
 
         this.serverConfigurationProvider = requireNonNull(serverConfigurationProvider, "serverConfigurationProvider is null");
         this.httpClient = requireNonNull(httpClient, "httpClient is null");
     }
 
+    private static Set<String> getAccessTokenAudiences(OAuth2Config oauthConfig)
+    {
+        HashSet<String> audiences = new HashSet<>();
+        audiences.add(clientId.getValue());
+        audiences.addAll(oauthConfig.getAdditionalAudiences());
+
+        if (!oauthConfig.isRequireAudience()) {
+             // A null value in the set allows JWTs with no audience
+            audiences.add(null);
+        }
+
+        return audiences;
+    }
+
     @Override
     public void load()
     {
diff --git a/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Config.java b/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Config.java
@@ -42,6 +42,7 @@ public class OAuth2Config
     private Set<String> scopes = ImmutableSet.of(OPENID_SCOPE);
     private String principalField = "sub";
     private Optional<String> groupsField = Optional.empty();
+    private boolean requireAudience = false;
     private List<String> additionalAudiences = Collections.emptyList();
     private Duration challengeTimeout = new Duration(15, TimeUnit.MINUTES);
     private Duration maxClockSkew = new Duration(1, TimeUnit.MINUTES);
@@ -107,6 +108,20 @@ public OAuth2Config setClientSecret(String clientSecret)
         return this;
     }
 
+    @NotNull
+    public boolean isRequireAudience()
+    {
+        return this.requireAudience;
+    }
+
+    @Config("http-server.authentication.oauth2.require-audience")
+    @ConfigDescription("Require a valid audience. If false (default), access tokens without an aud claim will be accepted.")
+    public OAuth2Config setRequireAudience(boolean requireAudience)
+    {
+        this.requireAudience = requireAudience;
+        return this;
+    }
+
     @NotNull
     public List<String> getAdditionalAudiences()
     {
diff --git a/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestOAuth2Config.java b/core/trino-main/src/test/java/io/trino/server/security/oauth2/TestOAuth2Config.java
@@ -45,6 +45,7 @@ public void testDefaults()
                 .setChallengeTimeout(new Duration(15, MINUTES))
                 .setPrincipalField("sub")
                 .setGroupsField(null)
+                .setRequireAudience(false)
                 .setAdditionalAudiences(Collections.emptyList())
                 .setMaxClockSkew(new Duration(1, MINUTES))
                 .setJwtType(null)
@@ -67,6 +68,7 @@ public void testExplicitPropertyMappings()
                 .put("http-server.authentication.oauth2.scopes", "email,offline")
                 .put("http-server.authentication.oauth2.principal-field", "some-field")
                 .put("deprecated.http-server.authentication.oauth2.groups-field", "groups")
+                .put("http-server.authentication.oauth2.require-audience", "true")
                 .put("http-server.authentication.oauth2.additional-audiences", "test-aud1,test-aud2")
                 .put("http-server.authentication.oauth2.challenge-timeout", "90s")
                 .put("http-server.authentication.oauth2.max-clock-skew", "15s")
@@ -85,6 +87,7 @@ public void testExplicitPropertyMappings()
                 .setScopes(ImmutableSet.of("email", "offline"))
                 .setPrincipalField("some-field")
                 .setGroupsField("groups")
+                .setRequireAudience(true)
                 .setAdditionalAudiences(List.of("test-aud1", "test-aud2"))
                 .setChallengeTimeout(new Duration(90, SECONDS))
                 .setMaxClockSkew(new Duration(15, SECONDS))
diff --git a/docs/src/main/sphinx/security/oauth2.md b/docs/src/main/sphinx/security/oauth2.md
@@ -126,6 +126,9 @@ The following configuration properties are available:
   - The public identifier of the Trino client.
 * - `http-server.authentication.oauth2.client-secret`
   - The secret used to authorize Trino client with the authorization server.
+* - `http-server.authentication.oauth2.require-audience`
+  - Require a valid audience. If false (default), access tokens
+    without an aud claim will be accepeted.
 * - `http-server.authentication.oauth2.additional-audiences`
   - Additional audiences to trust in addition to the client ID which is
     always a trusted audience.
