Skip to content

fix(backend): Enforce azp when configured#8877

Open
dominic-clerk wants to merge 1 commit into
mainfrom
dc-fix-azp-when-configured
Open

fix(backend): Enforce azp when configured#8877
dominic-clerk wants to merge 1 commit into
mainfrom
dc-fix-azp-when-configured

Conversation

@dominic-clerk

@dominic-clerk dominic-clerk commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Description

Enforce the azp (authorized party) claim when authorizedParties is configured. Previously, a session token that was missing the azp claim was accepted even when authorizedParties was set, allowing the authorized-parties check to be bypassed by omitting the claim. Now, when authorizedParties is configured, a token with a missing or empty azp claim is rejected. Tokens without azp continue to be accepted when no authorizedParties are configured.

Related to SEC-313

To be a problem this needs a system emitting azp-less tokens in an environment where an app expects azp to be set. Attackers can't just drop the azp claim as this would make the signature invalid.

Checklist

  • pnpm test runs as expected.
  • pnpm build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Summary by CodeRabbit

  • Bug Fixes
    • Strengthened session token validation security: when authorized parties are configured, session tokens missing the authorized party claim (or with an empty value) are now rejected, preventing an authorization bypass.
    • Tokens without this claim continue to be accepted when authorized parties are not configured.
    • Updated validation coverage to reflect the new behavior across configured vs. unconfigured cases.

@vercel

vercel Bot commented Jun 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jul 6, 2026 1:50pm
swingset Ready Ready Preview, Comment Jul 6, 2026 1:50pm

Request Review

@changeset-bot

changeset-bot Bot commented Jun 16, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 4296e39

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@clerk/backend Patch
@clerk/astro Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/hono Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: cc9968cc-197b-4e7f-a5dd-7f1e07941288

📥 Commits

Reviewing files that changed from the base of the PR and between 527170f and 4296e39.

📒 Files selected for processing (3)
  • .changeset/warm-spies-double.md
  • packages/backend/src/jwt/__tests__/assertions.test.ts
  • packages/backend/src/jwt/assertions.ts
✅ Files skipped from review due to trivial changes (1)
  • .changeset/warm-spies-double.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • packages/backend/src/jwt/tests/assertions.test.ts
  • packages/backend/src/jwt/assertions.ts

📝 Walkthrough

Walkthrough

assertAuthorizedPartiesClaim now only skips validation when authorizedParties is unset or empty. When authorizedParties is configured, missing or empty azp claims are rejected. Tests and a changeset were updated to match.

Changes

azp enforcement in assertAuthorizedPartiesClaim

Layer / File(s) Summary
assertAuthorizedPartiesClaim control flow fix and tests
packages/backend/src/jwt/assertions.ts, packages/backend/src/jwt/__tests__/assertions.test.ts
The claim check now keys its early return off authorizedParties being unset or empty, and the tests split coverage between the unconfigured accept case and the configured reject case for missing or empty azp.
Changeset entry
.changeset/warm-spies-double.md
Adds a @clerk/backend patch changeset describing the updated azp enforcement behavior.

Estimated code review effort: 2 (Simple) | ~8 minutes

Poem

🐇 I hopped through the token gate tonight,
If parties are set, the claim must be right.
No azp? Then the bunny says “nope,”
The warren stays tidy with a stricter scope.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main backend change: enforcing azp validation when authorizedParties is configured.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Comment @coderabbitai help to get the list of available commands.

@pkg-pr-new

pkg-pr-new Bot commented Jun 16, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8877

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8877

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8877

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8877

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8877

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8877

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8877

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8877

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8877

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8877

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8877

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8877

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8877

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8877

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8877

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8877

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8877

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8877

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8877

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8877

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8877

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8877

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8877

commit: 4296e39

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-07-06T13:53:38.599Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 0
🔴 Breaking changes 0
🟡 Non-breaking changes 0
🟢 Additions 0

No API Changes Detected

All packages have stable APIs with no detected changes.


Report generated by Break Check

Last ran on 4296e39.

@wobsoriano wobsoriano left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I think I approved a bit too quickly.

This is at least a behavioral breaking change for any app that has authorizedParties configured but can still receive azp-less tokens. It does look like the correct security
behavior to me.

Discussed in Slack, Im in favor of rolling this out in shadow mode first https://github.com/clerk/dashboard/pull/9494

@dominic-clerk

Copy link
Copy Markdown
Contributor Author

@wobsoriano is the experimentation in the Dashboard enough for us to merge here or we should change something in the PR?

Enforce the `azp` (authorized party) claim when `authorizedParties` is configured.
Previously, a session token that was missing the `azp` claim was accepted even when
`authorizedParties` was set, allowing the authorized-parties check to be bypassed
by omitting the claim. Now, when `authorizedParties` is configured, a token with a
missing or empty `azp` claim is rejected. Tokens without `azp` continue to be
accepted when no `authorizedParties` are configured.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants