#407 OIDC - Fail if the user-info subject does not match
This commit is contained in:
parent
583c251f02
commit
7213b53554
|
|
@ -403,14 +403,14 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
|
|
||||||
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
|
ticket = ValidateToken(idToken, message, properties, validationParameters, out jwt);
|
||||||
|
|
||||||
|
await ValidateOpenIdConnectProtocolAsync(jwt, null);
|
||||||
|
|
||||||
if (Options.GetClaimsFromUserInfoEndpoint)
|
if (Options.GetClaimsFromUserInfoEndpoint)
|
||||||
{
|
{
|
||||||
Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
|
Logger.LogDebug(Resources.OIDCH_0040_Sending_Request_UIEndpoint);
|
||||||
ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
|
ticket = await GetUserInformationAsync(properties, tokenEndpointResponse.Message, ticket);
|
||||||
}
|
}
|
||||||
|
|
||||||
await ValidateOpenIdConnectProtocolAsync(jwt, null);
|
|
||||||
|
|
||||||
var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
|
var securityTokenValidatedNotification = await RunSecurityTokenValidatedNotificationAsync(message, ticket);
|
||||||
if (securityTokenValidatedNotification.HandledResponse)
|
if (securityTokenValidatedNotification.HandledResponse)
|
||||||
{
|
{
|
||||||
|
|
@ -528,8 +528,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
|
var subjectClaimType = identity.FindFirst(ClaimTypes.NameIdentifier);
|
||||||
if (subjectClaimType == null)
|
if (subjectClaimType == null)
|
||||||
{
|
{
|
||||||
Logger.LogError(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
|
throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0041_Subject_Claim_Not_Found, identity.ToString()));
|
||||||
return ticket;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
|
var userInfoSubjectClaimValue = user.Value<string>(JwtRegisteredClaimNames.Sub);
|
||||||
|
|
@ -537,8 +536,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
|
||||||
// check if the sub claim matches
|
// check if the sub claim matches
|
||||||
if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
|
if (userInfoSubjectClaimValue == null || !string.Equals(userInfoSubjectClaimValue, subjectClaimType.Value, StringComparison.Ordinal))
|
||||||
{
|
{
|
||||||
Logger.LogError(Resources.OIDCH_0039_Subject_Claim_Mismatch);
|
throw new OpenIdConnectProtocolException(Resources.OIDCH_0039_Subject_Claim_Mismatch);
|
||||||
return ticket;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (var claim in identity.Claims)
|
foreach (var claim in identity.Claims)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue