-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optionally enforce the OIDC 'sub' claim #35401
Conversation
Thanks @gastaldi. We've just had a brief chat with Pedro as well, concern is, one more property. Pedro is right but I'm just terrified of breaking user applications, the experience shows enforcing things for not-necessarily essential things, ex, we don't know if having Also, the linking of the id token
Lets wait till Pedro comments further Cheers |
HI @pedroigor, I suppose, as far as the user experience is concerned, a property like the one added in this PR can be defaulted to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the reasons you pointed out, we can't be so strict in regards to the standards so that we can support different OPs.
LGTM.
This comment has been minimized.
This comment has been minimized.
Thanks @pedroigor, I'll keep it open till Monday in case we come up with some more comments, cheers |
Hey @pedroigor @gastaldi , as far as the docs are concerned, this is the one I have in mind, #32052, I'll have to find some time to prioritize |
What's the status of this one? |
Hi @geoand I was about to merge, but then thought about adding 2 more unit tests, let me do it and I'll merge afterwards |
9d91c57
to
aece027
Compare
Added 2 simple unit tests to |
Failing Jobs - Building aece027
Full information is available in the Build summary check run. Failures⚙️ JVM Tests - JDK 11 #- Failing: integration-tests/devmode
📦 integration-tests/devmode✖
|
Fixes #35397.
This PR supports an optional enforcement of the tokens containing a
sub
claim, and adds tests to confirm that if the token and UserInfosub
claims do not match then 401 is returned.Along the way, it optimizes the
nonce
verification added with one of the recent PRs, in #35039 (where an extra token parsing was done before the required token verification involving the same token parsed again). Now it is done in the same ``OidcProvider#verifyJwtTokenInternal` place.