Use azp instead of aud (#2607)
This commit is contained in:
parent
550ac3162a
commit
0ddabc96f6
|
@ -959,8 +959,12 @@ sub run {
|
||||||
|
|
||||||
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
||||||
|
|
||||||
my $payload = getJWTPayload($id_token_hint);
|
# TODO: we should check JWT signature here to avoid DoS by
|
||||||
my @audience = @{ $payload->{aud} };
|
# logging the user out, however, as long as there is no logout
|
||||||
|
# confirmation when accessing ?logout=1, such a protection is
|
||||||
|
# trivial to bypass
|
||||||
|
my $payload = getJWTPayload($id_token_hint);
|
||||||
|
my $azp = $payload->{azp};
|
||||||
|
|
||||||
# Check bypassConfirm parameter for rp using audience
|
# Check bypassConfirm parameter for rp using audience
|
||||||
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
||||||
|
@ -968,19 +972,17 @@ sub run {
|
||||||
my $rpid =
|
my $rpid =
|
||||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||||
->{oidcRPMetaDataOptionsClientID};
|
->{oidcRPMetaDataOptionsClientID};
|
||||||
foreach (@audience) {
|
|
||||||
my $aud = $_;
|
# this works because _generateIDToken always sets azp
|
||||||
if ( $aud eq $rpid ) {
|
if ( $azp and $rpid eq $azp ) {
|
||||||
$bypassConfirm =
|
$bypassConfirm =
|
||||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||||
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
|
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
|
||||||
$self->logger->debug(
|
$self->logger->debug(
|
||||||
"Bypass logout confirm for RP $logout_rp")
|
"Bypass logout confirm for RP $logout_rp")
|
||||||
if $bypassConfirm;
|
if $bypassConfirm;
|
||||||
last;
|
last;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
last if $bypassConfirm;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2421,9 +2423,9 @@ sub _generateIDToken {
|
||||||
exp => $id_token_exp, # expiration
|
exp => $id_token_exp, # expiration
|
||||||
iat => time, # Issued time
|
iat => time, # Issued time
|
||||||
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
|
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
|
||||||
acr => $id_token_acr, # Authentication Context Class Reference
|
acr => $id_token_acr, # Authentication Context Class Reference
|
||||||
azp => $client_id, # Authorized party
|
azp => $client_id, # Authorized party, this is used for logout
|
||||||
# TODO amr
|
# TODO amr
|
||||||
};
|
};
|
||||||
|
|
||||||
for ( keys %{$extra_claims} ) {
|
for ( keys %{$extra_claims} ) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user