fix: validate userinfo sub claim matches ID token sub (OIDC Core §5.3.2)

bvogel · bvogel · commit 78e8d74c0e99 · 2026-03-10T16:28:19.000+01:00
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -285,6 +285,12 @@ def user_info
             # gem calls res.body.with_indifferent_access which fails on a JWE string, so we
             # fetch and decrypt the userinfo ourselves.
             userinfo = fetch_userinfo_attributes
+            # OIDC Core §5.3.2: the sub in the UserInfo response MUST exactly match the sub
+            # in the ID Token; if they differ, the UserInfo response MUST NOT be used.
+            if userinfo.present? && userinfo[:sub].to_s != decoded[:sub].to_s
+              raise CallbackError, error: :userinfo_sub_mismatch,
+                                   reason: "UserInfo sub (#{userinfo[:sub].inspect}) does not match ID token sub (#{decoded[:sub].inspect})"
+            end
             @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new(userinfo.merge(decoded))
           else
             @user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
diff --git a/test/lib/omniauth/strategies/openid_connect_jwe_test.rb b/test/lib/omniauth/strategies/openid_connect_jwe_test.rb
@@ -298,6 +298,24 @@ def test_user_info_uses_fetch_userinfo_attributes_when_encryption_configured
     assert_equal '+32499000000', result.phone_number
   end
 
+  def test_user_info_raises_on_sub_mismatch
+    rsa_key = OpenSSL::PKey::RSA.generate(2048)
+    id_token_claims = { sub: 'user123' }
+    id_token_jws = JSON::JWT.new(id_token_claims).sign(rsa_key, :RS256).to_s
+
+    mock_access_token = stub(id_token: id_token_jws)
+    decoded = stub(raw_attributes: id_token_claims)
+
+    jwe_strategy.options.id_token_encryption_alg = 'RSA-OAEP'
+    jwe_strategy.stubs(:access_token).returns(mock_access_token)
+    jwe_strategy.stubs(:decode_id_token).with(id_token_jws).returns(decoded)
+    jwe_strategy.stubs(:fetch_userinfo_attributes).returns({ sub: 'attacker', email: 'evil@example.com' })
+
+    assert_raises(OmniAuth::Strategies::OpenIDConnect::CallbackError) do
+      jwe_strategy.send(:user_info)
+    end
+  end
+
   def test_user_info_falls_back_to_standard_path_when_no_encryption
     jwe_strategy.options.id_token_encryption_alg = nil
     mock_access_token = stub(id_token: nil)
