dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use azp instead of aud (#2607)

Browse Source
This commit is contained in:
Maxime Besson 2022-07-11 09:18:01 +02:00
parent 550ac3162a
commit 0ddabc96f6
1 changed files with 19 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -959,8 +959,12 @@ sub run {
$self->logger->debug("Check sub of ID Token $id_token_hint");
# TODO: we should check JWT signature here to avoid DoS by
# logging the user out, however, as long as there is no logout
# confirmation when accessing ?logout=1, such a protection is
# trivial to bypass
my $payload = getJWTPayload($id_token_hint);
my @audience = @{ $payload->{aud} };
my $azp = $payload->{azp};
# Check bypassConfirm parameter for rp using audience
foreach ( keys %{ $self->conf->{oidcRPMetaDataOptions} } ) {
@ -968,9 +972,9 @@ sub run {
my $rpid =
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
->{oidcRPMetaDataOptionsClientID};
foreach (@audience) {
my $aud = $_;
if ( $aud eq $rpid ) {
# this works because _generateIDToken always sets azp
if ( $azp and $rpid eq $azp ) {
$bypassConfirm =
$self->conf->{oidcRPMetaDataOptions}->{$logout_rp}
->{oidcRPMetaDataOptionsLogoutBypassConfirm};
@ -980,8 +984,6 @@ sub run {
last;
}
}
last if $bypassConfirm;
}
}
# Ask consent for logout
@ -2422,7 +2424,7 @@ sub _generateIDToken {
iat => time, # Issued time
auth_time => $sessionInfo->{_lastAuthnUTime}, # Authentication time
acr => $id_token_acr, # Authentication Context Class Reference
azp => $client_id, # Authorized party
azp => $client_id, # Authorized party, this is used for logout
# TODO amr
};