fix: ensure an account's accountId and claims().sub is the same

closes #1336

Author: panva

lib/actions/grants/authorization_code.js

@@ -8,6 +8,7 @@ import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
 import resolveResource from '../../helpers/resolve_resource.js';
 import epochTime from '../../helpers/epoch_time.js';
 import checkRar from '../../shared/check_rar.js';
+import getCtxAccountClaims from '../../helpers/account_claims.js';
 
 const gty = 'authorization_code';
 
@@ -210,7 +211,7 @@ export const handler = async function authorizationCodeHandler(ctx) {
     const claims = filterClaims(code.claims, 'id_token', grant);
     const rejected = grant.getRejectedOIDCClaims();
     const token = new IdToken({
-      ...await account.claims('id_token', code.scope, claims, rejected),
+      ...await getCtxAccountClaims(ctx, 'id_token', code.scope, claims, rejected),
       acr: code.acr,
       amr: code.amr,
       auth_time: code.authTime,

lib/actions/grants/ciba.js

@@ -8,6 +8,7 @@ import revoke from '../../helpers/revoke.js';
 import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
 import resolveResource from '../../helpers/resolve_resource.js';
 import epochTime from '../../helpers/epoch_time.js';
+import getCtxAccountClaims from '../../helpers/account_claims.js';
 
 const {
   AuthorizationPending,
@@ -203,7 +204,7 @@ export const handler = async function cibaHandler(ctx) {
     const claims = filterClaims(request.claims, 'id_token', grant);
     const rejected = grant.getRejectedOIDCClaims();
     const token = new IdToken({
-      ...await account.claims('id_token', request.scope, claims, rejected),
+      ...await getCtxAccountClaims(ctx, 'id_token', request.scope, claims, rejected),
       ...{
         acr: request.acr,
         amr: request.amr,

lib/actions/grants/device_code.js

@@ -8,6 +8,7 @@ import revoke from '../../helpers/revoke.js';
 import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
 import resolveResource from '../../helpers/resolve_resource.js';
 import epochTime from '../../helpers/epoch_time.js';
+import getCtxAccountClaims from '../../helpers/account_claims.js';
 
 const {
   AuthorizationPending,
@@ -202,7 +203,7 @@ export const handler = async function deviceCodeHandler(ctx) {
     const claims = filterClaims(code.claims, 'id_token', grant);
     const rejected = grant.getRejectedOIDCClaims();
     const token = new IdToken({
-      ...await account.claims('id_token', code.scope, claims, rejected),
+      ...await getCtxAccountClaims(ctx, 'id_token', code.scope, claims, rejected),
       ...{
         acr: code.acr,
         amr: code.amr,

lib/actions/grants/refresh_token.js

@@ -10,6 +10,7 @@ import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
 import resolveResource from '../../helpers/resolve_resource.js';
 import epochTime from '../../helpers/epoch_time.js';
 import checkRar from '../../shared/check_rar.js';
+import getCtxAccountClaims from '../../helpers/account_claims.js';
 
 import { gty as cibaGty } from './ciba.js';
 import { gty as deviceCodeGty } from './device_code.js';
@@ -233,7 +234,7 @@ export const handler = async function refreshTokenHandler(ctx) {
     const claims = filterClaims(refreshToken.claims, 'id_token', grant);
     const rejected = grant.getRejectedOIDCClaims();
     const token = new IdToken(({
-      ...await account.claims('id_token', [...scope].join(' '), claims, rejected),
+      ...await getCtxAccountClaims(ctx, 'id_token', [...scope].join(' '), claims, rejected),
       acr: refreshToken.acr,
       amr: refreshToken.amr,
       auth_time: refreshToken.authTime,

lib/actions/userinfo.js

@@ -12,6 +12,7 @@ import epochTime from '../helpers/epoch_time.js';
 import {
   InvalidToken, InsufficientScope, InvalidDpopProof, UseDpopNonce,
 } from '../helpers/errors.js';
+import getCtxAccountClaims from '../helpers/account_claims.js';
 
 const PARAM_LIST = new Set([
   'scope',
@@ -200,7 +201,7 @@ export default [
 
     if (client.userinfoSignedResponseAlg || client.userinfoEncryptedResponseAlg) {
       const token = new ctx.oidc.provider.IdToken(
-        await ctx.oidc.account.claims('userinfo', scope, claims, rejected),
+        await getCtxAccountClaims(ctx, 'userinfo', scope, claims, rejected),
         { ctx },
       );
 
@@ -215,7 +216,7 @@ export default [
       ctx.type = 'application/jwt; charset=utf-8';
     } else {
       const mask = new ctx.oidc.provider.Claims(
-        await ctx.oidc.account.claims('userinfo', scope, claims, rejected),
+        await getCtxAccountClaims(ctx, 'userinfo', scope, claims, rejected),
         { ctx },
       );
 

lib/helpers/account_claims.js

@@ -0,0 +1,6 @@
+export default async function getCtxAccountClaims(ctx, use, scope, claims, rejected) {
+  return {
+    ...await ctx.oidc.account.claims(use, scope, claims, rejected),
+    sub: ctx.oidc.account.accountId,
+  };
+}

lib/helpers/process_response_types.js

@@ -2,6 +2,7 @@ import { InvalidTarget } from './errors.js';
 import instance from './weak_cache.js';
 import filterClaims from './filter_claims.js';
 import combinedScope from './combined_scope.js';
+import getCtxAccountClaims from './account_claims.js';
 
 async function tokenHandler(ctx) {
   const { accountId } = ctx.oidc.session;
@@ -130,7 +131,7 @@ async function idTokenHandler(ctx) {
   const rejected = ctx.oidc.grant.getRejectedOIDCClaims();
   const scope = ctx.oidc.grant.getOIDCScopeFiltered(ctx.oidc.requestParamScopes);
   const idToken = new ctx.oidc.provider.IdToken({
-    ...await ctx.oidc.account.claims('id_token', scope, claims, rejected),
+    ...await getCtxAccountClaims(ctx, 'id_token', scope, claims, rejected),
     acr: ctx.oidc.acr,
     amr: ctx.oidc.amr,
     auth_time: ctx.oidc.session.authTime(),