Skip to content

Commit c9599f2

Browse files
EmyrkEmyrk
committed
chore: prevent non-unqiue oidc subjects from authenticating
Any IdP returning an empty field here breaks the assumption of a unique subject id. This is defined in the OIDC spec.
1 parent d5595f8 commit c9599f2

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

coderd/userauth.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1096,6 +1096,15 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
10961096
return
10971097
}
10981098

1099+
if idToken.Subject == "" {
1100+
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
1101+
Message: "OIDC token missing 'sub' claim field or 'sub' claim field is empty.",
1102+
Detail: "'sub' claim field is required to be unique for all users by a given issue, " +
1103+
"an empty field is invalid and this authentication attempt is rejected.",
1104+
})
1105+
return
1106+
}
1107+
10991108
logger := api.Logger.Named(userAuthLoggerName)
11001109

11011110
// "email_verified" is an optional claim that changes the behavior

0 commit comments

Comments
 (0)