From 0ab3dbc8f644c43415bdb57982855e2a20deb8c5 Mon Sep 17 00:00:00 2001 From: Samuel Weirich <4281791+SamuelWei@users.noreply.github.com> Date: Tue, 29 Apr 2025 11:38:29 +0200 Subject: [PATCH 1/2] Check subject on unsigned / unencrypted response The sub (subject) Claim MUST always be returned in the UserInfo Response. NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used. https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse --- src/OpenIDConnectClient.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 32001612..1bfe0564 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1303,6 +1303,11 @@ public function requestUserInfo(?string $attribute = null) { $user_json = $claims; } else { $user_json = json_decode($response, false); + + // Check subject + if(!isset($user_json->sub) || $user_json->sub !== $this->getIdTokenPayload()->sub){ + throw new OpenIDConnectClientException('Invalid subject in user info response'); + } } $userInfo = $user_json; From f2dc4710144003085dc806491423b01403ea8e00 Mon Sep 17 00:00:00 2001 From: Samuel Weirich <4281791+SamuelWei@users.noreply.github.com> Date: Tue, 29 Apr 2025 11:40:25 +0200 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee24d509..ea4ce772 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Check existence of subject when verifying JWT #474 +- Verify subject for all UserInfo Responses #478 ## [1.0.1] - 2024-09-13