From 0d4e4bd0060f47dd9707c972c814b5d18c22e90c Mon Sep 17 00:00:00 2001
From: Jonathan Daggerhart <jonathan@daggerhart.com>
Date: Sat, 3 Nov 2018 11:27:14 -0400
Subject: [PATCH] additional error detection on user_claim

---
 includes/openid-connect-generic-client.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/includes/openid-connect-generic-client.php b/includes/openid-connect-generic-client.php
index d0d9ac3..c408291 100644
--- a/includes/openid-connect-generic-client.php
+++ b/includes/openid-connect-generic-client.php
@@ -376,7 +376,16 @@ class OpenID_Connect_Generic_Client {
 		if ( ! is_array( $user_claim ) ){
 			return new WP_Error( 'invalid-user-claim', __( 'Invalid user claim' ), $user_claim );
 		}
-		
+
+		// allow for errors from the IDP
+		if ( isset( $user_claim['error'] ) ) {
+			$message = __( 'Error from the IDP' );
+			if ( !empty( $user_claim['error_description'] ) ) {
+				$message = $user_claim['error_description'];
+			}
+			return new WP_Error( 'invalid-user-claim-' . $user_claim['error'], $message, $user_claim );
+		}
+
 		// make sure the id_token sub === user_claim sub, according to spec
 		if ( $id_token_claim['sub' ] !== $user_claim['sub'] ) {
 			return new WP_Error( 'incorrect-user-claim', __( 'Incorrect user claim' ), func_get_args() );