Issuer Validation

Hard+200 XPA07:2021 Identification and Authentication FailuresCWE-347

JWTAuthenticationToken Validation

Scenario

JWT tokens carry an 'iss' (issuer) claim identifying who created the token. Your application should only trust tokens from known identity providers.

The validation function checks that iss exists but never verifies it against an allowlist.

An attacker can stand up their own identity provider, issue tokens with arbitrary claims, and access your API.

Without issuer validation, any party with knowledge of your JWT structure can issue valid-looking tokens, completely bypassing your identity provider.

Your Tasks

Inspect validateIssuer — it checks payload.iss exists but never verifies it's in allowedIssuers.
Fix it: throw 'Untrusted issuer' if payload.iss is not in allowedIssuers.
Return {valid:true, issuer:payload.iss} when the issuer is trusted.

Examples

Example 1 — Evil issuer accepted (bug)

validateIssuer({sub:'alice',iss:'evil.com'}, ['auth.myapp.com'])
// Returns {valid:true, issuer:'evil.com'} — should throw!

Example 2 — Trusted issuer accepted

validateIssuer({sub:'alice',iss:'auth.myapp.com'}, ['auth.myapp.com'])
// Returns {valid:true, issuer:'auth.myapp.com'}

Constraints

›payload has sub (string) and iss (string)
›allowedIssuers is an array of strings
›An empty string iss is not trusted (it won't be in allowedIssuers)
›Throw exactly 'Untrusted issuer' — no other message

Hint

References

https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1 https://owasp.org/www-project-top-ten/2021/A07_2021-Identification_and_Authentication_Failures

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run