Use azp instead of aud (#2607)
This commit is contained in:
parent
550ac3162a
commit
0ddabc96f6
|
@ -959,8 +959,12 @@ sub run {
|
|||
|
||||
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
||||
|
||||
# TODO: we should check JWT signature here to avoid DoS by
|
||||
# logging the user out, however, as long as there is no logout
|
||||
# confirmation when accessing ?logout=1, such a protection is
|
||||
# trivial to bypass
|
||||
my $payload = getJWTPayload($id_token_hint);
|
||||
my @audience = @{ $payload->{aud} };
|
||||
my $azp = $payload->{azp};
|
||||
|
||||
# Check bypassConfirm parameter for rp using audience
|
||||
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
|
||||
|
@ -968,9 +972,9 @@ sub run {
|
|||
my $rpid =
|
||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||
->{oidcRPMetaDataOptionsClientID};
|
||||
foreach (@audience) {
|
||||
my $aud = $_;
|
||||
if ( $aud eq $rpid ) {
|
||||
|
||||
# this works because _generateIDToken always sets azp
|
||||
if ( $azp and $rpid eq $azp ) {
|
||||
$bypassConfirm =
|
||||
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
|
||||
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
|
||||
|
@ -980,8 +984,6 @@ sub run {
|
|||
last;
|
||||
}
|
||||
}
|
||||
last if $bypassConfirm;
|
||||
}
|
||||
}
|
||||
|
||||
# Ask consent for logout
|
||||
|
@ -2422,7 +2424,7 @@ sub _generateIDToken {
|
|||
iat => time, # Issued time
|
||||
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
|
||||
acr => $id_token_acr, # Authentication Context Class Reference
|
||||
azp => $client_id, # Authorized party
|
||||
azp => $client_id, # Authorized party, this is used for logout
|
||||
# TODO amr
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user