Reason for subject check when fetching user info?

[electerious]

Why is there a subject check when using the fetch user info function? I don’t understand why the server would return an unexpected subject for the given access token. It also looks like it's just a client-side validation, which could be done by the user after the fetch if he wants to validate the subject. It also wasn't part of v5. Am I missing something?

client.fetchUserInfo(config, accessToken, client.skipSubjectCheck)

[panva]

It is part of the spec, https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

And it was part of v5 when the input to userInfo() was a TokenSet that contained an ID Token.

It also looks like it's just a client-side validation, which could be done by the user after the fetch if he wants to validate the subject.

I doubt they would.

[electerious]

Thanks for letting me know! The spec also contains the reason for this behaviour, which is what I was looking for :)

Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token.

[panva]

It is meant as a protection for implicit flow access token substitution attacks but is unfortunately not required ONLY for those response types.