Use azp instead of aud (#2607)
This commit is contained in:
parent
550ac3162a
commit
0ddabc96f6
|
@ -959,8 +959,12 @@ sub run {
|
||||||
|
|
||||||
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
||||||
|
|
||||||
|
# TODO: we should check JWT signature here to avoid DoS by
|
||||||
|
# logging the user out, however, as long as there is no logout
|
||||||
|
# confirmation when accessing ?logout=1, such a protection is
|
||||||
|
# trivial to bypass
|
||||||
my $payload = getJWTPayload($id_token_hint);
|
my $payload = getJWTPayload($id_token_hint);
|
||||||
my @audience = @{ $payload->{aud} };
|
my $azp = $payload->{azp};
|
||||||
|
|
||||||
# Check bypassConfirm parameter for rp using audience
|
# Check bypassConfirm parameter for rp using audience
|
||||||
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
||||||
|
@ -968,9 +972,9 @@ sub run {
|
||||||
my $rpid =
|
my $rpid =
|
||||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||||
->{oidcRPMetaDataOptionsClientID};
|
->{oidcRPMetaDataOptionsClientID};
|
||||||
foreach (@audience) {
|
|
||||||
my $aud = $_;
|
# this works because _generateIDToken always sets azp
|
||||||
if ( $aud eq $rpid ) {
|
if ( $azp and $rpid eq $azp ) {
|
||||||
$bypassConfirm =
|
$bypassConfirm =
|
||||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||||
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
|
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
|
||||||
|
@ -980,8 +984,6 @@ sub run {
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
last if $bypassConfirm;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Ask consent for logout
|
# Ask consent for logout
|
||||||
|
@ -2422,7 +2424,7 @@ sub _generateIDToken {
|
||||||
iat => time, # Issued time
|
iat => time, # Issued time
|
||||||
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
|
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
|
||||||
acr => $id_token_acr, # Authentication Context Class Reference
|
acr => $id_token_acr, # Authentication Context Class Reference
|
||||||
azp => $client_id, # Authorized party
|
azp => $client_id, # Authorized party, this is used for logout
|
||||||
# TODO amr
|
# TODO amr
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user