Skip to content

Commit

Permalink
Check if subject is equal to subject of id token when verifying JWT c…
Browse files Browse the repository at this point in the history 
…laims

Fixes jumbojett#406
  • Loading branch information
@ricklambrechts @hexmode
ricklambrechts authored and hexmode committed Apr 20, 2024
1 parent a58907f commit c81c34f
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Updated CI to also test on PHP 8.3 #407
- Updated readme PHP requirement to PHP 7.0+ #407
- Added dependabot for GitHub Actions #407
- Check subject when verifying JWT claims #406

### Fixed
- Changed parameter #2 of http_build_query to empty string on requestTokenExchange to support PHP8.x #413
Expand Down
1 change: 1 addition & 0 deletions src/OpenIDConnectClient.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1206,6 +1206,7 @@ protected function verifyJWTClaims($claims, string $accessToken = null): bool
}
return (($this->validateIssuer($claims->iss))
&& (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
&& ($claims->sub === $this->getIdTokenPayload()->sub)
&& (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
&& ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))
&& ( !isset($claims->nbf) || ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))
Expand Down

0 comments on commit c81c34f

Please sign in to comment.