Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -477,7 +477,20 @@ static void handleUserinfoResponse(
if (httpResponse.getStatusLine().getStatusCode() == 200) {
if (ContentType.parse(contentHeader.getValue()).getMimeType().equals("application/json")) {
final JWTClaimsSet userInfoClaims = JWTClaimsSet.parse(contentAsString);
validateUserInfoResponse(userInfoClaims, verifiedIdTokenClaims.getSubject(), claimsListener);
String expectedSub = verifiedIdTokenClaims.getSubject();
if (userInfoClaims.getSubject().isEmpty()) {
claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim"));
return;
} else if (userInfoClaims.getSubject().equals(expectedSub) == false) {
claimsListener.onFailure(
new ElasticsearchSecurityException(
"Userinfo Response is not valid as it is for " + "subject [{}] while the ID Token was for subject [{}]",
userInfoClaims.getSubject(),
expectedSub
)
);
return;
}
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Successfully retrieved user information: [{}]", userInfoClaims);
}
Expand Down Expand Up @@ -527,27 +540,6 @@ static void handleUserinfoResponse(
}
}

/**
* Validates that the userinfo response contains a sub Claim and that this claim value is the same as the one returned in the ID Token
*/
private static void validateUserInfoResponse(
JWTClaimsSet userInfoClaims,
String expectedSub,
ActionListener<JWTClaimsSet> claimsListener
) {
if (userInfoClaims.getSubject().isEmpty()) {
claimsListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim"));
} else if (userInfoClaims.getSubject().equals(expectedSub) == false) {
claimsListener.onFailure(
new ElasticsearchSecurityException(
"Userinfo Response is not valid as it is for " + "subject [{}] while the ID Token was for subject [{}]",
userInfoClaims.getSubject(),
expectedSub
)
);
}
}

/**
* Attempts to make a request to the Token Endpoint of the OpenID Connect provider in order to exchange an
* authorization code for an Id Token (and potentially an Access Token)
Expand Down