How can we do case-insensitive comparison for sub claim and id_token?

[studersi]

We are facing errors that appear to be due to a mismatch of letter cases:

[2023-10-12 15:20:57.605432] [auth_openidc:error] IP.IP.IP.IP:SRC_PORT UNIQUE_ID oidc_proto_resolve_userinfo: "sub" claim ("some-user-name") returned from userinfo endpoint does not match the one in the id_token ("Some-User-Name")
[2023-10-12 15:20:57.605470] [auth_openidc:error] IP.IP.IP.IP:SRC_PORT UNIQUE_ID oidc_retrieve_claims_from_userinfo_endpoint: resolving user info claims with the provided access token failed, nothing will be stored in the session

It looks like mod_auth_openidc does a case-sensitive comparison. According to our IAM team, these values are not case-sensitive since the underlying data is not case sensitive. For this reason, the comparison should ignore the case of the letters.

Is there any way, to configure mod_auth_openidc to do a case-insensitive comparison?

[zandbelt]

The spec https://openid.net/specs/openid-connect-core-1_0.html#IDToken says:

sub
REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.

So the value of sub is case sensitive by definition. Upon receiving the userinfo response, the spec https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse dictates:

The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

Hence mod_auth_openidc's implementation is spec-compliant, as claimed. If we were to loosen this, it would probably also break certification conformance testing (https://openid.net/certification)

[studersi]

Thank you for the quick reply and the clarification! I will forward this information accordingly.

[franck-eyraud]

Is there a way on the other hand to make the Require claim directive case insensitive ? We need to compare the email field, and it appears that the comparison is done case sensitively. Email addresses are by design case insensitive.

Thank you

[zandbelt]

you can use a PCRE regular expression in the "claim" value, see /applis/asif/apache/domaineASI/conf/extra/oidc.conf