fix: [Security] sub claim removed from authz request object

italia · Jun 18, 2022 · 5a9abb7 · 5a9abb7
1 parent b44e14d
commit 5a9abb7
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/spid_cie_oidc/__init__.py b/spid_cie_oidc/__init__.py
@@ -1 +1 @@
-__version__ = "0.7.3"
+__version__ = "0.7.4"
diff --git a/spid_cie_oidc/onboarding/schemas/authn_requests.py b/spid_cie_oidc/onboarding/schemas/authn_requests.py
@@ -140,7 +140,11 @@ class AuthenticationRequest(BaseModel):
     state: constr(min_length=32)
     # TODO: to be improved
     ui_locales: Optional[List[str]]
-    sub: HttpUrl
+
+    # sub claim MUST not be used to prevent that this jwt
+    # could be reused as a private_key_jwt
+    # sub: HttpUrl
+
     iss: HttpUrl
     iat: int
     exp: Optional[int]

diff --git a/spid_cie_oidc/relying_party/views/rp_begin.py b/spid_cie_oidc/relying_party/views/rp_begin.py
@@ -177,7 +177,10 @@ def get(self, request, *args, **kwargs):
         # add the signed request object
         authz_data_obj = deepcopy(authz_data)
         authz_data_obj["iss"] = client_conf["client_id"]
-        authz_data_obj["sub"] = client_conf["client_id"]
+
+        # sub claim MUST not be used to prevent that this jwt
+        # could be reused as a private_key_jwt
+        # authz_data_obj["sub"] = client_conf["client_id"]
 
         request_obj = create_jws(authz_data_obj, entity_conf.jwks_core[0])
         authz_data["request"] = request_obj