Skip to content

Check subject on unsigned / unencrypted response #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Check subject on unsigned / unencrypted response #478

wants to merge 3 commits into from

Conversation

@SamuelWei
Copy link
Contributor

@SamuelWei SamuelWei commented Apr 29, 2025
edited
Loading

Currently the userinfo data is not checked for unsigned / unencrypted responses.
However the specs require a validation of the subject:

The sub (subject) Claim MUST always be returned in the UserInfo Response.

NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

List of common tasks a pull request require complete

  • Changelog entry is added or the pull request don't alter library's functionality

@SamuelWei
Check subject on unsigned / unencrypted response
0ab3dbc 
The sub (subject) Claim MUST always be returned in the UserInfo Response.

NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
@SamuelWei
Update changelog
f2dc471
@SamuelWei
Merge branch 'master' into SamuelWei-verify-sub-on-userinfo
085b5e0
@SamuelWei SamuelWei mentioned this pull request Jun 24, 2025
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SamuelWei