Skip to content

Commit

Permalink
Add optional skip_issuer parameter to IdToken.verify!
Browse files Browse the repository at this point in the history
This is especially useful when using Microsoft Entra ID common
endpoint, as the issuer could be from another tenant.

When using this parameter it is recommended to set the audience as this
stays the same even if the issuer is from another tenant.

Related omniauth/omniauth_openid_connect#166
Closes nov#95
  • Loading branch information
bufferoverflow committed Jul 7, 2024
1 parent e1eb8ea commit ae994f2
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/openid_connect/response_object/id_token.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ def initialize(attributes = {})
self.auth_time = auth_time.to_i unless auth_time.nil?
end

def verify!(expected = {})
def verify!(expected = {}, skip_issuer = false)
raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless (iss == expected[:issuer] || skip_issuer == true)
raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]

# aud(ience) can be a string or an array of strings
Expand Down
12 changes: 12 additions & 0 deletions spec/openid_connect/response_object/id_token_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,18 @@
end
end

context 'when issuer is invalid and skip_issuer is set' do
it do
expect do
id_token.verify!({
issuer: 'invalid_issuer',
client_id: attributes[:aud]},
false
)
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
end
end

context 'when issuer is missing' do
it do
expect do
Expand Down

0 comments on commit ae994f2

Please sign in to comment.