Don't allow claim escalation

2026-01-05 16:40:11 +11:00
parent 5c5662eaab
commit 5268f10eb3
2 changed files with 11 additions and 1 deletions
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -457,6 +457,16 @@ class OidcController < ApplicationController

  # POST /oauth/token
  def token
+    # Reject claims parameter - per OIDC security, claims parameter is only valid
+    # in authorization requests, not at the token endpoint
+    if params[:claims].present?
+      render json: {
+        error: "invalid_request",
+        error_description: "claims parameter is not allowed at the token endpoint"
+      }, status: :bad_request
+      return
+    end
+
    grant_type = params[:grant_type]

    case grant_type