Drop extra check of matching sub claims

josephdecock · josephdecock · commit 4aa9cc6ef800 · 2024-11-07T09:33:47.000-06:00
Don't want to introduce new behavior in this security fix
diff --git a/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs b/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs
@@ -70,13 +70,6 @@ public async Task<UserToken> GetTokenAsync(
                 return new UserToken() { Error = "No properties on authentication result" };
             }
 
-
-            // This "can't happen", but if it ever did, we would have a security problem
-            if (result.Principal.FindFirstValue(JwtClaimTypes.Subject) != user.FindFirstValue(JwtClaimTypes.Subject))
-            {
-                throw new InvalidOperationException("Mismatch between expected user identity and cached authenticate result");
-            }
-
             return _tokensInProps.GetUserToken(result.Properties, parameters);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -70,13 +70,6 @@ public async Task<UserToken> GetTokenAsync(`
`70`	`70`	`return new UserToken() { Error = "No properties on authentication result" };`
`71`	`71`	`}`
`72`	`72`
`73`		`-`
`74`		`- // This "can't happen", but if it ever did, we would have a security problem`
`75`		`- if (result.Principal.FindFirstValue(JwtClaimTypes.Subject) != user.FindFirstValue(JwtClaimTypes.Subject))`
`76`		`- {`
`77`		`- throw new InvalidOperationException("Mismatch between expected user identity and cached authenticate result");`
`78`		`- }`
`79`		`-`
`80`	`73`	`return _tokensInProps.GetUserToken(result.Properties, parameters);`
`81`	`74`	`}`
`82`	`75`