[OIDC] GetUserInformationAsync needs to fail if the subjects do not match

[Tratcher]

OpenIdConnetHander…
protected virtual async Task GetUserInformationAsync(AuthenticationProperties properties, OpenIdConnectMessage message, AuthenticationTicket ticket)

The protocol requires that the subject from the UI endpoint must equal the subject of the id_token received from redeeming the code for an ‘access_token + id_token’.
Our code logs and returns original the ticket parameter on failure (there are two failures: 1. The sub claim is not found, 2. The sub claims do not match).. We should fault as something is wrong.
Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.

---

Yes, we should throw instead of just logging. What does the absence of subject claim in the id_token received from token endpoint indicates? Is that an error we should throw or just something that we log?
[brent]OIDC requires the ‘sub’ claim in the id_token, if it’s not there that is not a protocol compliant message from the token endpoint.

Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.
[tushar] not sure if I understand this. Do you mean not looking into the ‘sub’ claim in the ‘id_token’ and just using the one we receive from UI endpoint?
[brent] the flow is: code -> id_token + access token -> UI Endpoint -> JSON claims.

There must be a ‘sub’ claim in the id_token and in the JSON claims. The ‘sub’ must match. IIRC, conversations with Mike Jones indicated if this is not true, we must fault.