Added check to handle token parsing with claims without "sub". (#3287)

wassafshahzad · web-flow · commit 509b01639e95 · 2025-06-18T15:52:24.000+02:00
### Description In the oidc_introspection.py `func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext)` function get value form the Claim map using `sub` key and then casts the value into a string, but this would panic if no sub key is present. I added a check to ensure we only cast values if sub key is present. ### Linked Issue closes #3216 ### Approach to solution As describe in the following [comment](#3216 (comment)), I dug a bit deeper and found 2 suitable values to use if subject is not present in token. One is the Subject value in tokenContainer struct or UserInfo Struct. I decided to go with the tokenContainer struct. If this is not correct please do guide me if UserInfo Struct would be better. --------- Signed-off-by: wassafshahzad <wassafshahzad@gmail.com>
diff --git a/filters/auth/oidc_introspection.go b/filters/auth/oidc_introspection.go
@@ -139,7 +139,12 @@ func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext) {
 		return
 	}
 
-	sub := token.Claims["sub"].(string)
+	sub, ok := token.Claims["sub"].(string)
+	if !ok {
+		unauthorized(ctx, fmt.Sprint(filter.typ), invalidSub, r.Host, "Invalid Subject")
+		return
+	}
+
 	authorized(ctx, sub)
 }
 
diff --git a/filters/auth/oidc_introspection_test.go b/filters/auth/oidc_introspection_test.go
@@ -139,11 +139,12 @@ func TestCreateOIDCQueryClaimsFilter(t *testing.T) {
 
 func TestOIDCQueryClaimsFilter(t *testing.T) {
 	for _, tc := range []struct {
-		msg       string
-		path      string
-		expected  int
-		expectErr bool
-		args      []interface{}
+		msg          string
+		path         string
+		expected     int
+		expectErr    bool
+		args         []interface{}
+		removeClaims []string
 	}{
 		{
 			msg: "secure sub/path not permitted",
@@ -165,6 +166,17 @@ func TestOIDCQueryClaimsFilter(t *testing.T) {
 			expected:  200,
 			expectErr: false,
 		},
+		{
+			msg: "missing sub claim is not permitted",
+			args: []interface{}{
+				"/login:groups.#[==\"AppX-Test-Users\"]",
+				"/:@_:email%\"*@example.org\"",
+			},
+			path:         "/login/page",
+			expected:     401,
+			expectErr:    false,
+			removeClaims: []string{"sub"},
+		},
 		{
 			msg: "generic user path permitted",
 			args: []interface{}{
@@ -292,7 +304,7 @@ func TestOIDCQueryClaimsFilter(t *testing.T) {
 				t.Errorf("Failed to parse url %s: %v", proxy.URL, err)
 			}
 			reqURL.Path = tc.path
-			oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})
+			oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}}, tc.removeClaims)
 			defer oidcServer.Close()
 			t.Logf("oidc/auth server URL: %s", oidcServer.URL)
 			// create filter
diff --git a/filters/auth/oidc_test.go b/filters/auth/oidc_test.go
@@ -141,7 +141,7 @@ var testOpenIDConfig = `{
 // returns a localhost instance implementation of an OpenID Connect
 // server with configendpoint, tokenendpoint, authenticationserver endpoint, userinfor
 // endpoint, jwks endpoint
-func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims) *httptest.Server {
+func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims, removeClaims []string) *httptest.Server {
 	var oidcServer *httptest.Server
 	oidcServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
@@ -247,6 +247,11 @@ func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims
 				for k, v := range extraClaims {
 					claims[k] = v
 				}
+
+				for _, k := range removeClaims {
+					delete(claims, k)
+				}
+
 				token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 
 				privKey, err := os.ReadFile(keyPath)
@@ -571,7 +576,7 @@ func TestNewOidc(t *testing.T) {
 }
 
 func TestCreateFilterOIDC(t *testing.T) {
-	oidcServer := createOIDCServer("", "", "", nil)
+	oidcServer := createOIDCServer("", "", "", nil, nil)
 	defer oidcServer.Close()
 
 	for _, tt := range []struct {
@@ -924,7 +929,7 @@ func TestOIDCSetup(t *testing.T) {
 
 			t.Logf("redirect URL: %s", redirectURL.String())
 
-			oidcServer := createOIDCServer(redirectURL.String(), "valid-client", "mysec", tc.extraClaims)
+			oidcServer := createOIDCServer(redirectURL.String(), "valid-client", "mysec", tc.extraClaims, nil)
 			defer oidcServer.Close()
 			t.Logf("oidc server URL: %s", oidcServer.URL)
 

Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,12 @@ func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext) {`
`139`	`139`	`return`
`140`	`140`	`}`
`141`	`141`
`142`		`- sub := token.Claims["sub"].(string)`
	`142`	`+ sub, ok := token.Claims["sub"].(string)`
	`143`	`+ if !ok {`
	`144`	`+ unauthorized(ctx, fmt.Sprint(filter.typ), invalidSub, r.Host, "Invalid Subject")`
	`145`	`+ return`
	`146`	`+ }`
	`147`	`+`
`143`	`148`	`authorized(ctx, sub)`
`144`	`149`	`}`
`145`	`150`