[SECVULN-1532] chore: Remove TODO comments for OIDC/JWT auth (#19700)

chore: Remove TODO comments for OIDC/JWT auth Remove old TODO comments and update remaining comments for clarity.
2023-11-20 16:34:48 -05:00 · 2023-11-20 16:34:48 -05:00 · 58cc6eded4
parent bfb3a43648
commit 58cc6eded4
2 changed files with 2 additions and 2 deletions
--- a/internal/go-sso/oidcauth/config.go
+++ b/internal/go-sso/oidcauth/config.go
@ -45,7 +45,6 @@ type Config struct {

 	// Comma-separated list of 'aud' claims that are valid for login; any match
 	// is sufficient
-	// TODO(sso): actually just send these down as string claims?
 	BoundAudiences []string

 	// Mappings of claims (key) that will be copied to a metadata field
--- a/internal/go-sso/oidcauth/oidc.go
+++ b/internal/go-sso/oidcauth/oidc.go
@ -235,7 +235,8 @@ func (a *Authenticator) verifyOIDCToken(ctx context.Context, rawToken string) (m
 	if err := idToken.Claims(&allClaims); err != nil {
 		return nil, fmt.Errorf("unable to successfully parse all claims from token: %v", err)
 	}
-	// TODO(sso): why isn't this strict for OIDC?
+	// Follows behavior of hashicorp/vault-plugin-auth-jwt (non-strict validation).
+	// See https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/oidc#oidc-configuration-troubleshooting.
 	if err := validateAudience(a.config.BoundAudiences, idToken.Audience, false); err != nil {
 		return nil, fmt.Errorf("error validating claims: %v", err)
 	}