From 0c8f54dd5f05bacee87f7abd10282a8c881affc3 Mon Sep 17 00:00:00 2001
From: Rick Lambrechts <rick@rl-webdiensten.nl>
Date: Mon, 22 Apr 2024 15:18:47 +0200
Subject: [PATCH] fix: Check if subject is equal to subject of id token when
 verifying JWT claims (#406)

* Check if subject is equal to subject of id token when verifying JWT claims

* Add fake sub in test claims
---
 CHANGELOG.md                      | 1 +
 src/OpenIDConnectClient.php       | 1 +
 tests/OpenIDConnectClientTest.php | 1 +
 3 files changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 05283d97..93149158 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Updated readme PHP requirement to PHP 7.0+ #407
 - Added dependabot for GitHub Actions #407
 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
+- Check subject when verifying JWT #406
 
 ## [1.0.0] - 2023-12-13
 
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
index aea060fc..abb37d8e 100644
--- a/src/OpenIDConnectClient.php
+++ b/src/OpenIDConnectClient.php
@@ -1206,6 +1206,7 @@ protected function verifyJWTClaims($claims, string $accessToken = null): bool
         }
         return (($this->validateIssuer($claims->iss))
             && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
+            && ($claims->sub === $this->getIdTokenPayload()->sub)
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))
             && ( !isset($claims->nbf) || ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
index a16be71b..f895879c 100644
--- a/tests/OpenIDConnectClientTest.php
+++ b/tests/OpenIDConnectClientTest.php
@@ -26,6 +26,7 @@ public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
         $fakeClaims = new StdClass();
         $fakeClaims->iss = 'fake-issuer';
         $fakeClaims->aud = 'fake-client-id';
+        $fakeClaims->sub = 'fake-sub';
         $fakeClaims->nonce = null;
 
         $_REQUEST['id_token'] = 'abc.123.xyz';