Skip to content

Validate authorized principal instead of sub during logout #1235

Closed
Closed
Validate authorized principal instead of sub during logout#1235
Assignees
jgrandja
Labels
type: bugA general bug
Milestone
1.1.1
@algarves

Description

@algarves
algarves
opened on May 26, 2023

Describe the bug
When working with custom OidcUserInfo (id_token), where we overwrite the sub claim with my user ID (as shown in the code snippet below). This snippet fails because it expects the sub to be the username of the user.

To Reproduce

@Service
public class OidcUserInfoService {
  // omitted
  private OidcUserInfo createOidcUserInfo(User user) {
    return OidcUserInfo.builder()
        .subject(user.getId().toString()) /* <= (HERE) */
        .preferredUsername(user.getUsername())
        .email(user.getUsername())
        .emailVerified(true)
        .name(user.getName())
        .build();
  }
  // omitted
}

Steps to reproduce the behavior.

Expected behavior
That I can exit successfully, passing my id_token as the value of the id_token_hint parameter.

Sample

My custom token implementation ...

@Component
public class JwtTokenCustomizer implements OAuth2TokenCustomizer<JwtEncodingContext> {

  private final OidcUserInfoService userInfoService;

  public JwtTokenCustomizer(OidcUserInfoService oidcUserInfoService) {
    this.userInfoService = oidcUserInfoService;
  }

  @Override
  public void customize(JwtEncodingContext context) {
    if (!isAccessToken(context) && !isIdToken(context) || isClientCredentials(context)) {
      var registeredClient = context.getRegisteredClient();
      var clientInfo = userInfoService.loadClientInfo(registeredClient.getId());
      context.getClaims().claims(claims -> claims.putAll(clientInfo));
    } else {
      var currentUser = context.getPrincipal().getName();
      if (isAccessToken(context)) {
        var userInfo = userInfoService.loadUserProviderInfo(currentUser);
        context.getClaims().claims(claims -> claims.putAll(userInfo));
      } else if (isIdToken(context)) {
        var userInfo = userInfoService.loadOidcUserInfo(currentUser);  /* <= (HERE) */
        context.getClaims().claims(claims -> claims.putAll(userInfo.getClaims()));
      }
    }
  }
  // omitted
}

Failed to evaluate this condition on source code line:

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationProvider.java

Line 135 in ece9f10

!idToken.getSubject().equals(userPrincipal.getName())) {

Metadata

Metadata

Assignees

Labels

type: bugA general bug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions