New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UserInfo response subject must be verified #62

Open

hotgazpacho opened this issue Sep 25, 2016 · 1 comment

hotgazpacho commented Sep 25, 2016

According to the OpenID Connect UserInfo Response spec:

NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

Author

hotgazpacho commented Sep 25, 2016

Right now, I'm monkey patching this in my Rails app like so:

def user_info
  @user_info ||= begin
    _user_info = access_token.userinfo!
    if id_token.sub.eql?(_user_info.sub)
      _user_info
    else
      Rails.logger.tagged("OpenID Connect") { Rails.logger.warn("UserInfo subject does not match ID Token subject. Discarding UserInfo response.") }
      ::OpenIDConnect::ResponseObject::UserInfo.new(sub: '😶')
    end
  end
end

hotgazpacho mentioned this issue

Verify UserInfo Response #63

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment