@@ -1096,15 +1096,6 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
10961096 return
10971097 }
10981098
1099- if idToken .Subject == "" {
1100- httpapi .Write (ctx , rw , http .StatusBadRequest , codersdk.Response {
1101- Message : "OIDC token missing 'sub' claim field or 'sub' claim field is empty." ,
1102- Detail : "'sub' claim field is required to be unique for all users by a given issue, " +
1103- "an empty field is invalid and this authentication attempt is rejected." ,
1104- })
1105- return
1106- }
1107-
11081099 logger := api .Logger .Named (userAuthLoggerName )
11091100
11101101 // "email_verified" is an optional claim that changes the behavior
@@ -1121,6 +1112,20 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
11211112 return
11221113 }
11231114
1115+ if idToken .Subject == "" {
1116+ logger .Error (ctx , "oauth2: missing 'sub' claim field in OIDC token" ,
1117+ slog .F ("source" , "id_token" ),
1118+ slog .F ("claim_fields" , claimFields (idtokenClaims )),
1119+ slog .F ("blank" , blankFields (idtokenClaims )),
1120+ )
1121+ httpapi .Write (ctx , rw , http .StatusBadRequest , codersdk.Response {
1122+ Message : "OIDC token missing 'sub' claim field or 'sub' claim field is empty." ,
1123+ Detail : "'sub' claim field is required to be unique for all users by a given issue, " +
1124+ "an empty field is invalid and this authentication attempt is rejected." ,
1125+ })
1126+ return
1127+ }
1128+
11241129 logger .Debug (ctx , "got oidc claims" ,
11251130 slog .F ("source" , "id_token" ),
11261131 slog .F ("claim_fields" , claimFields (idtokenClaims )),
0 commit comments