OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGAs OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Helm_charts | Openfga | * | 0.3.9 (excluding) |
| Openfga | Openfga | * | 1.18.0 (excluding) |