From 3c3cc39d0c755fb2266c85b4f6926641d9eea5e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Sat, 31 Jan 2015 14:33:05 +0000 Subject: [PATCH] Check sub of UserInfo JSON (references #183) --- .../lib/Lemonldap/NG/Portal/UserDBOpenIDConnect.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBOpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBOpenIDConnect.pm index 9e91ed298..f1c4f14dd 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBOpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/UserDBOpenIDConnect.pm @@ -39,6 +39,12 @@ sub getUser { $self->{tmp}->{OpenIDConnect_user_info} = $self->decodeJSON($userinfo_content); + # Check that received sub is the same than current user + unless ( $self->{tmp}->{OpenIDConnect_user_info}->{sub} eq $self->{user} ) { + $self->lmLog( "Received sub do not match current user", 'error' ); + return PE_BADCREDENTIALS; + } + PE_OK; }