Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identify the invalid 'sub' value and reject the UserInfo Response. #441

Closed
duttarnab opened this issue Mar 26, 2020 · 4 comments
Closed

Identify the invalid 'sub' value and reject the UserInfo Response. #441

duttarnab opened this issue Mar 26, 2020 · 4 comments
Assignees
@duttarnab
Labels
enhancement
Milestone
4.2

Comments

@duttarnab
Copy link
Collaborator

image

Make a UserInfo Request and verify the 'sub' value of the UserInfo Response by comparing it with the ID Token's 'sub' value. Identify the invalid 'sub' value and reject the UserInfo Response.

Parent Ticket: #437
@duttarnab duttarnab added this to the 4.2 milestone Mar 26, 2020
@duttarnab duttarnab self-assigned this Mar 26, 2020
duttarnab added a commit that referenced this issue Apr 1, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Respo…
1ee28aa 
…nse.
duttarnab added a commit that referenced this issue Apr 1, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Respo…
5deaf6d 
…nse.
@duttarnab duttarnab mentioned this issue Apr 1, 2020
Merged
duttarnab added a commit that referenced this issue Apr 1, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Respo…
2aaa1d8 
…nse.
yuriyz added a commit that referenced this issue Apr 1, 2020
@yuriyz
Merge pull request #448 from GluuFederation/issue#441
1fefc2a 
#441 - Identify the invalid 'sub' value and reject the UserInfo Response.
duttarnab added a commit that referenced this issue Apr 3, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Respo…
2f00e1e 
…nse.
@duttarnab duttarnab mentioned this issue Apr 3, 2020
Merged
duttarnab added a commit that referenced this issue Apr 3, 2020
@duttarnab
Merge pull request #450 from GluuFederation/issue#441_2
68c9c6a 
#441 - Identify the invalid 'sub' value and reject the UserInfo Response
@duttarnab
Copy link
Collaborator Author

Done in 4.2

@duttarnab
Copy link
Collaborator Author

@yuriyz , for completing this Conformance test case we need id_token at getUserInfo command so that id_token sub value can be compared with userInfo sub value.
I was taking id_token from Rp store in oxd (which I think is not the proper way). But for Implicit flow (id_token, token) id_token is not stored in Rp in oxd (since getTokenByCode command is not called in Implicit flow.)

Please advise how we can get id_token in getUserInfo command in oxd.

And Conformance OP does not have introspection end-point.

@duttarnab duttarnab reopened this Apr 15, 2020
@yuriyz yuriyz mentioned this issue Apr 15, 2020
Open
@yuriyz
Copy link
Contributor

yuriyz commented Apr 15, 2020

oxd was designed as backchannel app. Sockets are removed long time ago and HTTP is main transport now. Thus it's time for oxd to have direct /authorize command instead of /get-authorization-url and /get-tokens-by-code. oxd as RP should completely handle Connect work for client application that is using oxd. I've created ticket to improve that part here #462.

So if back to your question with current oxd design the only way is to add additional OPTIONAL id_token parameter to /get-user-info which must be removed after #462 is done and with next major release (to not break backward compatibility in minor release). If id_token is present then validate user info response against it. If it's not provided then skip validation. Add configuration property validateUserInfoWithIdToken: false. If it's set to true and id_token is not provided then return error.

duttarnab added a commit that referenced this issue Apr 15, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Respo…
dba3bc8 
…nse.
@duttarnab duttarnab mentioned this issue Apr 15, 2020
Merged
duttarnab added a commit that referenced this issue Apr 15, 2020
@duttarnab
#441 - Identify the invalid 'sub' value and reject the UserInfo Response
5b1ea37
yuriyz added a commit that referenced this issue Apr 15, 2020
@yuriyz
Merge pull request #463 from GluuFederation/issue#441
b9c60ab 
#441 - Identify the invalid 'sub' value and reject the UserInfo Response.
@duttarnab
Copy link
Collaborator Author

Done in 4.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@duttarnab duttarnab

Labels
enhancement
Projects
None yet
Milestone
4.2
Development

No branches or pull requests
2 participants
@yuriyz @duttarnab