Check id_token_hint request parameter for authenticated user (#184)
This commit is contained in:
parent
46e3b460c1
commit
9f06668eef
@ -436,7 +436,7 @@ sub issuerForAuthUser {
|
|||||||
|
|
||||||
my $max_age = $oidc_request->{'max_age'};
|
my $max_age = $oidc_request->{'max_age'};
|
||||||
my $_lastAuthnUTime = $self->{sessionInfo}->{_lastAuthnUTime};
|
my $_lastAuthnUTime = $self->{sessionInfo}->{_lastAuthnUTime};
|
||||||
if ( defined $max_age && time > $_lastAuthnUTime + $max_age ) {
|
if ( $max_age && time > $_lastAuthnUTime + $max_age ) {
|
||||||
$self->lmLog(
|
$self->lmLog(
|
||||||
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
|
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
|
||||||
'debug'
|
'debug'
|
||||||
@ -495,6 +495,36 @@ sub issuerForAuthUser {
|
|||||||
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check id_token_hint
|
||||||
|
my $id_token_hint = $oidc_request->{'id_token_hint'};
|
||||||
|
if ($id_token_hint) {
|
||||||
|
|
||||||
|
$self->lmLog( "Check sub of ID Token $id_token_hint", 'debug' );
|
||||||
|
|
||||||
|
# Check that id_token_hint sub match current user
|
||||||
|
my $sub = $self->getIDTokenSub($id_token_hint);
|
||||||
|
my $user_id_attribute = $self->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsUserIDAttr} || $self->{whatToTrace};
|
||||||
|
my $user_id = $self->{sessionInfo}->{$user_id_attribute};
|
||||||
|
unless ( $sub eq $user_id ) {
|
||||||
|
$self->lmLog(
|
||||||
|
"ID Token hint sub $sub do not match user $user_id",
|
||||||
|
'error' );
|
||||||
|
$self->returnRedirectError(
|
||||||
|
$oidc_request->{'redirect_uri'},
|
||||||
|
"invalid_request",
|
||||||
|
"current user do not match id_token_hint sub",
|
||||||
|
undef,
|
||||||
|
$oidc_request->{'state'},
|
||||||
|
( $flow ne "authorizationcode" )
|
||||||
|
);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->lmLog( "ID Token hint sub $sub match current user",
|
||||||
|
'debug' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Obtain consent
|
# Obtain consent
|
||||||
my $ask_for_consent = 1;
|
my $ask_for_consent = 1;
|
||||||
if ( $self->{sessionInfo}->{"_oidc_consent_time_$rp"}
|
if ( $self->{sessionInfo}->{"_oidc_consent_time_$rp"}
|
||||||
|
@ -1159,6 +1159,19 @@ sub getFlowType {
|
|||||||
return $response_types->{$response_type};
|
return $response_types->{$response_type};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
## @method String getIDTokenSub(String id_token)
|
||||||
|
# Return sub field of an ID Token
|
||||||
|
# @param id_token ID Token
|
||||||
|
# @return String sub
|
||||||
|
sub getIDTokenSub {
|
||||||
|
my ( $self, $id_token ) = splice @_;
|
||||||
|
|
||||||
|
my $jwt = $self->extractJWT($id_token);
|
||||||
|
my $payload = decode_json( decode_base64( $jwt->[1] ) );
|
||||||
|
|
||||||
|
return $payload->{sub};
|
||||||
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
||||||
__END__
|
__END__
|
||||||
@ -1300,6 +1313,10 @@ Return ID Token
|
|||||||
|
|
||||||
Return flow type
|
Return flow type
|
||||||
|
|
||||||
|
=head2 getIDTokenSub
|
||||||
|
|
||||||
|
Return sub field of an ID Token
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
|
L<Lemonldap::NG::Portal::AuthOpenIDConnect>, L<Lemonldap::NG::Portal::UserDBOpenIDConnect>
|
||||||
|
Loading…
Reference in New Issue
Block a user