Search code examples
phpoauth-2.0yii2openidopenid-connect

how to replace subject(sub) to a secret string in id_token at the openid connect?

oauth2 library:

https://github.com/Filsh/yii2-oauth2-server

https://github.com/bshaffer/oauth2-server-php

please notice that, user id in my system is a integer not a string.

my purpose just hide system user id.

the steps for id token :

http://bshaffer.github.io/oauth2-server-php-docs/overview/openid-connect/

{ "iss": "localhost", "sub": 2, "aud": "-7IloKCawcvBwRijJeo7nsLxx1chC68L", "iat": 1514518157, "exp": 1514521757, "auth_time": 1514518157, "nonce": "dfsdsdsd" }

md5('-7IloKCawcvBwRijJeo7nsLxx1chC68L' + 2) = 3C86CBBFF35AD3B6E609F5622D776531

i wanna replace subject to md5(client_id + subject)

{ "iss": "localhost", "sub": "3C86CBBFF35AD3B6E609F5622D776531", "aud": "-7IloKCawcvBwRijJeo7nsLxx1chC68L", "iat": 1514516044, "exp": 1514519644, "auth_time": 1514516044, "nonce": "dfsdsdsd" }

Solution

  • IF I understand your desire, the OpenID Provider can provide anything for the Subject as long as it is Unique at that OpenID Provider for a specific relying party.

    OpenID Connect Identity Token Sub is a Subject Identifier is a locally unique and never re-assigned identifier within the Issuer for the Authenticated Entity, which is intended to be consumed by the OAuth Client.

    Two Subject Identifier types (subject_types_supported) are defined by OpenID Connect and are Required to be present in the OpenID Provider Metadata:

    public - provides the same sub (subject) value to all OAuth Client. It is the default if the provider has no subject_types_supported element in its discovery document.

    pairwise - provides a different Sub value to each OAuth Client, so as not to enable OAuth Client to correlate the End-User's activities without permission.

    The OpenID Connect Provider's OpenID Connect Discovery document SHOULD list its supported Subject Identifier types in the subject_types_supported element.

    If there is more than one type listed in the array, the OAuth Client MAY elect to provide its preferred identifier type using the subject_type parameter during Registration.

    Sub MUST NOT exceed 255 ASCII characters in length.

    Sub Sub value is a Case-sensitive string.