jumbojett · SamuelWei · Apr 29, 2025 · Apr 29, 2025 · May 8, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Check existence of subject when verifying JWT #474
+- Verify subject for all UserInfo Responses #478
 - exp verification when verifying Logout Token claims #482
 
 ## [1.0.1] - 2024-09-13

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -1308,6 +1308,11 @@ public function requestUserInfo(?string $attribute = null) {
             $user_json = $claims;
         } else {
             $user_json = json_decode($response, false);
+
+            // Check subject
+            if(!isset($user_json->sub) || $user_json->sub !== $this->getIdTokenPayload()->sub){
+                throw new OpenIDConnectClientException('Invalid subject in user info response');
+            }
         }
 
         $userInfo = $user_json;