Describe the bug

When using LS AAI to log in, if we use an access token to authenticate into the inbox or the outbox, the server does not verify the audience (aud) field in the token (which should be equal to the OIDC client ID). This means an attacker could impersonate the user if the user logged in an attacker's service (e.g., another instance of SDA).

Steps to reproduce

I prepared an extra auth service and registered it on the mock AAI as a separate client so this demo would work easily. This setup can be used by checking out to this commit.

Steps:

• Run make sda-s3-up
• Log into the rogue service at http://localhost:8802 as a dummy user
• Get the access token from the rogue server and put it into a "token" variable in the terminal
• Run curl -H "Authorization: Bearer $token" localhost:8090/files
• Check that the api returns a non-error response (probably []) even though the token is for a different Relying Party

Expected behavior

• Services that deal with access token authentication must verify the "aud" field matches the OIDC client ID of the service and deny authentication if it doesn't match.

Estimation of size

small

Estimation of priority

medium