synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: prevent authentication of non-unique oidc subjects (#16498)

Browse Source 
Any IdP returning an empty field here breaks the assumption of a
unique subject id. This is defined in the OIDC spec.
This commit is contained in:
Steven Masley
2025-02-10 09:31:08 -06:00
committed by GitHub
parent 695d552cd0
commit d0a534e30d
6 changed files with 92 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
coderd/userauth.go
View File

@ -1112,6 +1112,20 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
return
}
if idToken.Subject == "" {
logger.Error(ctx, "oauth2: missing 'sub' claim field in OIDC token",
slog.F("source", "id_token"),
slog.F("claim_fields", claimFields(idtokenClaims)),
slog.F("blank", blankFields(idtokenClaims)),
)
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "OIDC token missing 'sub' claim field or 'sub' claim field is empty.",
Detail: "'sub' claim field is required to be unique for all users by a given issue, " +
"an empty field is invalid and this authentication attempt is rejected.",
})
return
}
logger.Debug(ctx, "got oidc claims",
slog.F("source", "id_token"),
slog.F("claim_fields", claimFields(idtokenClaims)),