Skip to content

Commit 13e6338

Browse files
committed
sidecar: whitelist only profile claims from upstream id_token (drop at_hash, azp etc — they made our access token look like an id_token)
1 parent 7b71a27 commit 13e6338

1 file changed

Lines changed: 19 additions & 3 deletions

File tree

sidecar/internal/as/callback.go

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -77,9 +77,25 @@ func HandleCallback(s *store.Store, oidcMgr *oidc.Manager, cipher *crypto.Cipher
7777
sub = "unknown"
7878
}
7979

80-
// Remove standard JWT claims from extra claims to avoid conflicts.
81-
for _, k := range []string{"iss", "aud", "exp", "iat", "nbf", "jti", "scope"} {
82-
delete(userClaims, k)
80+
// Keep only safe profile-style claims for the access token.
81+
// Drop standard JWT claims (we set our own) and ID-Token-specific claims
82+
// (at_hash, azp, nonce, auth_time, sub) so the minted token doesn't look
83+
// like an ID Token to RFC 9068-aware clients.
84+
allowed := map[string]bool{
85+
"email": true,
86+
"email_verified": true,
87+
"name": true,
88+
"given_name": true,
89+
"family_name": true,
90+
"picture": true,
91+
"locale": true,
92+
"hd": true,
93+
"preferred_username": true,
94+
}
95+
for k := range userClaims {
96+
if !allowed[k] {
97+
delete(userClaims, k)
98+
}
8399
}
84100

85101
claimsJSON, err := json.Marshal(userClaims)

0 commit comments

Comments
 (0)