huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

#407 OIDC - Fail if the user-info subject does not match

This commit is contained in:
Chris R 2015-08-25 11:26:02 -07:00
parent 583c251f02
commit 7213b53554
1 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
View File

@ -403,14 +403,14 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
await ValidateOpenIdConnectProtocolAsync(jwt, null);
if (Options.GetClaimsFromUserInfoEndpoint)
{
Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
}
await ValidateOpenIdConnectProtocolAsync(jwt, null);
var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
if (securityTokenValidatedNotification.HandledResponse)
{
@ -528,8 +528,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
if (subjectClaimType == null)
{
Logger.LogError(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
return ticket;
throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
}
var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
@ -537,8 +536,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
// check if the sub claim matches
if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
{
Logger.LogError(Resources.OIDCH_0039_Subject_Claim_Mismatch);
return ticket;
throw new OpenIdConnectProtocolException(Resources.OIDCH_0039_Subject_Claim_Mismatch);
}
foreach (var claim in identity.Claims)