You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 13, 2018. It is now read-only.
The protocol requires that the subject from the UI endpoint must equal the subject of the id_token received from redeeming the code for an ‘access_token + id_token’.
Our code logs and returns original the ticket parameter on failure (there are two failures: 1. The sub claim is not found, 2. The sub claims do not match).. We should fault as something is wrong.
Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.
Yes, we should throw instead of just logging. What does the absence of subject claim in the id_token received from token endpoint indicates? Is that an error we should throw or just something that we log?
[brent]OIDC requires the ‘sub’ claim in the id_token, if it’s not there that is not a protocol compliant message from the token endpoint.
Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.
[tushar] not sure if I understand this. Do you mean not looking into the ‘sub’ claim in the ‘id_token’ and just using the one we receive from UI endpoint?
[brent] the flow is: code -> id_token + access token -> UI Endpoint -> JSON claims.
There must be a ‘sub’ claim in the id_token and in the JSON claims. The ‘sub’ must match. IIRC, conversations with Mike Jones indicated if this is not true, we must fault.
The text was updated successfully, but these errors were encountered:
OpenIdConnetHander…
protected virtual async Task GetUserInformationAsync(AuthenticationProperties properties, OpenIdConnectMessage message, AuthenticationTicket ticket)
The protocol requires that the subject from the UI endpoint must equal the subject of the id_token received from redeeming the code for an ‘access_token + id_token’.
Our code logs and returns original the ticket parameter on failure (there are two failures: 1. The sub claim is not found, 2. The sub claims do not match).. We should fault as something is wrong.
Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.
Yes, we should throw instead of just logging. What does the absence of subject claim in the id_token received from token endpoint indicates? Is that an error we should throw or just something that we log?
[brent]OIDC requires the ‘sub’ claim in the id_token, if it’s not there that is not a protocol compliant message from the token endpoint.
Also the code would be a whole lot simpler if we just fished the ‘sub’ claim out of the ‘id_token’ that arrived with the access token, than run through the ClaimsIdentity.
[tushar] not sure if I understand this. Do you mean not looking into the ‘sub’ claim in the ‘id_token’ and just using the one we receive from UI endpoint?
[brent] the flow is: code -> id_token + access token -> UI Endpoint -> JSON claims.
There must be a ‘sub’ claim in the id_token and in the JSON claims. The ‘sub’ must match. IIRC, conversations with Mike Jones indicated if this is not true, we must fault.
The text was updated successfully, but these errors were encountered: