Skip to content

harden(authbridge): derive token audience from the route, not the client Host header #513

Description

@huang195

From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).

Current behavior: the expected audience used for JWT validation / token-exchange is derived from the request Host header.

Risk: the Host header is client-controlled — a caller can spoof it to steer audience derivation (e.g. obtain or validate tokens for an unintended audience).

Proposed fix: derive the audience from the configured route / resolved destination, not from the client-supplied Host header.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
New/ToDo

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions