Check id_token_hint request parameter for authenticated user (#184)

2015-03-25 16:13:09 +00:00 · 2015-03-25 16:13:09 +00:00 · 9f06668eef
commit 9f06668eef
parent 46e3b460c1
2 changed files with 48 additions and 1 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBOpenIDConnect.pm
@ -436,7 +436,7 @@ sub issuerForAuthUser {

        my $max_age         = $oidc_request->{'max_age'};
        my $_lastAuthnUTime = $self->{sessionInfo}->{_lastAuthnUTime};
-        if ( defined $max_age && time > $_lastAuthnUTime + $max_age ) {
+        if ( $max_age && time > $_lastAuthnUTime + $max_age ) {
            $self->lmLog(
 "Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
                'debug'
@ -495,6 +495,36 @@ sub issuerForAuthUser {
            $self->lmLog( "Client id $client_id match RP $rp", 'debug' );
        }

+        # Check id_token_hint
+        my $id_token_hint = $oidc_request->{'id_token_hint'};
+        if ($id_token_hint) {
+
+            $self->lmLog( "Check sub of ID Token $id_token_hint", 'debug' );
+
+            # Check that id_token_hint sub match current user
+            my $sub               = $self->getIDTokenSub($id_token_hint);
+            my $user_id_attribute = $self->{oidcRPMetaDataOptions}->{$rp}
+              ->{oidcRPMetaDataOptionsUserIDAttr} || $self->{whatToTrace};
+            my $user_id = $self->{sessionInfo}->{$user_id_attribute};
+            unless ( $sub eq $user_id ) {
+                $self->lmLog(
+                    "ID Token hint sub $sub do not match user $user_id",
+                    'error' );
+                $self->returnRedirectError(
+                    $oidc_request->{'redirect_uri'},
+                    "invalid_request",
+                    "current user do not match id_token_hint sub",
+                    undef,
+                    $oidc_request->{'state'},
+                    ( $flow ne "authorizationcode" )
+                );
+            }
+            else {
+                $self->lmLog( "ID Token hint sub $sub match current user",
+                    'debug' );
+            }
+        }
+
        # Obtain consent
        my $ask_for_consent = 1;
        if (    $self->{sessionInfo}->{"_oidc_consent_time_$rp"}
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_OpenIDConnect.pm
@ -1159,6 +1159,19 @@ sub getFlowType {
    return $response_types->{$response_type};
 }

+## @method String getIDTokenSub(String id_token)
+# Return sub field of an ID Token
+# @param id_token ID Token
+# @return String sub
+sub getIDTokenSub {
+    my ( $self, $id_token ) = splice @_;
+
+    my $jwt     = $self->extractJWT($id_token);
+    my $payload = decode_json( decode_base64( $jwt->[1] ) );
+
+    return $payload->{sub};
+}
+
 1;

 __END__
@ -1300,6 +1313,10 @@ Return ID Token

 Return flow type

+=head2 getIDTokenSub
+
+Return sub field of an ID Token
+
 =head1 SEE ALSO

 L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>