Added OPENID_SUBJECT_PREFIX config to prefix subject (#3636)

* introduced new config OPENID_SUBJECT_PREFIX to prefix OIDC subject with tenant and product * set subject correctly
boxyhq · Feb 21, 2025 · 8c897ae · 8c897ae
1 parent ffb7338
commit 8c897ae
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 4 deletions.
diff --git a/.env.example b/.env.example
@@ -127,4 +127,7 @@ ENTERPRISE_ORY_PROJECT_ID=
 # Log file to write to
 LOG_FILE=
 # Log levels - "fatal" | "error" | "warn" | "info" (default) | "debug" | "trace"
-LOG_LEVEL=
+LOG_LEVEL=
+
+# Set this config to add prefix OIDC subject wiht tenant and product to avoid any potential collissions with SAML IdP profile IDs
+# OPENID_SUBJECT_PREFIX=true
diff --git a/lib/env.ts b/lib/env.ts
@@ -87,6 +87,7 @@ const jacksonOptions: JacksonOption = {
     },
     requestProfileScope: process.env.OPENID_REQUEST_PROFILE_SCOPE === 'false' ? false : true,
     forwardOIDCParams: process.env.OPENID_REQUEST_FORWARD_PARAMS === 'true' ? true : false,
+    subjectPrefix: process.env.OPENID_SUBJECT_PREFIX === 'true' ? true : false,
   },
   certs: {
     publicKey: process.env.PUBLIC_KEY || '',

diff --git a/npm/src/controller/oauth.ts b/npm/src/controller/oauth.ts
@@ -1338,6 +1338,15 @@ export class OAuthController implements IOAuthController {
         protocol,
       };
 
+      let subject = codeVal.profile.claims.id;
+      if (this.opts.openid?.subjectPrefix) {
+        subject =
+          codeVal.requested?.tenant + ':' + codeVal.requested?.product + ':' + codeVal.profile.claims.id;
+        if (subject.length > 255) {
+          subject = crypto.createHash('sha512').update(subject).digest('hex');
+        }
+      }
+
       const requestHasNonce = !!codeVal.requested?.nonce;
       if (requestedOIDCFlow) {
         const { jwtSigningKeys, jwsAlg } = this.opts.openid ?? {};
@@ -1347,7 +1356,7 @@ export class OAuthController implements IOAuthController {
         let claims: Record<string, string> = requestHasNonce ? { nonce: codeVal.requested.nonce } : {};
         claims = {
           ...claims,
-          id: codeVal.profile.claims.id,
+          id: subject,
           email: codeVal.profile.claims.email,
           firstName: codeVal.profile.claims.firstName,
           lastName: codeVal.profile.claims.lastName,
@@ -1360,12 +1369,12 @@ export class OAuthController implements IOAuthController {
           .setProtectedHeader({ alg: jwsAlg!, kid })
           .setIssuedAt()
           .setIssuer(this.opts.externalUrl)
-          .setSubject(codeVal.profile.claims.id)
+          .setSubject(subject)
           .setAudience(tokenVal.requested.client_id)
           .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
           .sign(signingKey);
         tokenVal.id_token = id_token;
-        tokenVal.claims.sub = codeVal.profile.claims.id;
+        tokenVal.claims.sub = subject;
       }
 
       const { hexKey, encVal } = encrypt(tokenVal);

diff --git a/npm/src/typings.ts b/npm/src/typings.ts
@@ -468,6 +468,7 @@ export interface JacksonOption {
     };
     requestProfileScope?: boolean; // defaults to true
     forwardOIDCParams?: boolean; // defaults to false
+    subjectPrefix?: boolean; // defaults to false
   };
   certs?: {
     publicKey: string;