Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check if subject is equal to subject of id token when verifying JWT claims #406

Merged

Conversation

ricklambrechts
Copy link
Contributor

@ricklambrechts ricklambrechts commented Dec 29, 2023

According to the OIDC spec 5.3.2. Successful Userinfo Response we need to be sure of the following:

The sub (subject) Claim MUST always be returned in the UserInfo Response.

And:

NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

List of common tasks a pull request require complete

  • Changelog entry is added or the pull request don't alter library's functionality

hexmode pushed a commit to hexmode/OpenID-Connect-PHP that referenced this pull request Apr 20, 2024
hexmode pushed a commit to hexmode/OpenID-Connect-PHP that referenced this pull request Apr 20, 2024
@DeepDiver1975
Copy link
Collaborator

rebase necessary - THX

@ricklambrechts
Copy link
Contributor Author

@DeepDiver1975 done

@DeepDiver1975 DeepDiver1975 merged commit 0c8f54d into jumbojett:master Apr 22, 2024
9 checks passed
@ricklambrechts ricklambrechts deleted the check-sub-in-jwt-claims branch April 23, 2024 08:03
Magentron added a commit to Magentron/OpenID-Connect-PHP that referenced this pull request May 22, 2024
* upstream/master:
  fix: Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed (jumbojett#373)
  fix: Check if subject is equal to subject of id token when verifying JWT claims (jumbojett#406)
  fix: Cast SERVER_PORT to integer (jumbojett#404)
  chore(deps): bump actions/cache from 3 to 4 (jumbojett#417)
  chore(deps): bump actions/checkout from 2 to 4 (jumbojett#416)
  docs: Update README.md to correct addScope parameter type in 1.0.0 (jumbojett#405)
  chore: Update ci to support php 8.3 and add dependabot (jumbojett#407)
  release: 1.0.0 (jumbojett#402)
  Set the User-Agent regardless of GET or POST (jumbojett#382)
  fix: Update well known config value function response types (jumbojett#376)
  feat: set useragent (jumbojett#370)
  feat: php7.0 minimum requirement (jumbojett#327)

# Conflicts:
#	CHANGELOG.md
Magentron added a commit to Magentron/OpenID-Connect-PHP that referenced this pull request May 22, 2024
…est-token

* master:
  fix: Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed (jumbojett#373)
  fix: Check if subject is equal to subject of id token when verifying JWT claims (jumbojett#406)
  fix: Cast SERVER_PORT to integer (jumbojett#404)
  chore(deps): bump actions/cache from 3 to 4 (jumbojett#417)
  chore(deps): bump actions/checkout from 2 to 4 (jumbojett#416)
  docs: Update README.md to correct addScope parameter type in 1.0.0 (jumbojett#405)
  chore: Update ci to support php 8.3 and add dependabot (jumbojett#407)
  release: 1.0.0 (jumbojett#402)
  Set the User-Agent regardless of GET or POST (jumbojett#382)
  fix: Update well known config value function response types (jumbojett#376)
  feat: set useragent (jumbojett#370)
  feat: php7.0 minimum requirement (jumbojett#327)
  updated composer.json added replace, updated README.md added notification about project forked from

# Conflicts:
#	CHANGELOG.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants