From ad5aedfa6077fb1172adfc50f2fc07b2de67d06d Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 13 Apr 2022 16:00:15 -0700
Subject: [PATCH] Fix backward compatibility in AuthorizeAdminToken

This commit validates both new and old issuers.
---
 authority/authorize.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/authority/authorize.go b/authority/authorize.go
index b0a1fab4..fdf3941b 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -130,8 +130,7 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 	// According to "rfc7519 JSON Web Token" acceptable skew should be no
 	// more than a few minutes.
 	if err := claims.ValidateWithLeeway(jose.Expected{
-		Issuer: "step-admin-client/1.0",
-		Time:   time.Now().UTC(),
+		Time: time.Now().UTC(),
 	}, time.Minute); err != nil {
 		return nil, admin.WrapError(admin.ErrorUnauthorizedType, err, "x5c.authorizeToken; invalid x5c claims")
 	}
@@ -141,6 +140,12 @@ func (a *Authority) AuthorizeAdminToken(r *http.Request, token string) (*linkedc
 		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token has invalid audience claim (aud)")
 	}
 
+	// validate issuer: old versions used the provisioner name, new version uses
+	// 'step-admin-client/1.0'
+	if claims.Issuer != "step-admin-client/1.0" && claims.Issuer != prov.GetName() {
+		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token has invalid issuer claim (iss)")
+	}
+
 	if claims.Subject == "" {
 		return nil, admin.NewError(admin.ErrorUnauthorizedType, "x5c.authorizeToken; x5c token subject cannot be empty")
 	}