From 36f64208746a5f517d29d047b5e6068aa98cfb15 Mon Sep 17 00:00:00 2001
From: bourgeoa <alain.bourgeois10@gmail.com>
Date: Thu, 1 Jan 2026 22:42:49 +0100
Subject: [PATCH] check iss

---
 package.json                  |  2 +-
 src/AuthenticationResponse.js | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 63562d7..498624a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@solid/oidc-rp",
-  "version": "0.12.0",
+  "version": "0.12.1",
   "description": "OpenID Connect Relying Party client library",
   "main": "./src/index.js",
   "module": "./src/index.js",
diff --git a/src/AuthenticationResponse.js b/src/AuthenticationResponse.js
index d8a0f02..df5cc67 100644
--- a/src/AuthenticationResponse.js
+++ b/src/AuthenticationResponse.js
@@ -51,6 +51,7 @@ class AuthenticationResponse {
       .then(this.errorResponse)
       .then(this.matchRequest)
       .then(this.validateStateParam)
+      .then(this.validateIssParam)
       .then(this.validateResponseMode)
       .then(this.validateResponseParams)
       .then(this.exchangeAuthorizationCode)
@@ -181,6 +182,37 @@ class AuthenticationResponse {
     })
   }
 
+  /**
+   * validateIssParam
+   *
+   * @description
+   * RFC 9207: OAuth 2.0 Authorization Server Issuer Identification
+   * Validates the iss parameter in the authorization response, if present.
+   * The iss parameter helps prevent mix-up attacks by ensuring the response
+   * came from the expected authorization server.
+   *
+   * @param {Object} response
+   * @returns {Promise}
+   */
+  static validateIssParam (response) {
+    let {params, rp} = response
+
+    // RFC 9207: If iss parameter is present, it MUST match the provider issuer
+    if (params.iss) {
+      let expectedIssuer = rp.provider.issuer || rp.provider.url
+      
+      if (params.iss !== expectedIssuer) {
+        throw new Error(
+          `Mismatching issuer in authentication response. Expected: ${expectedIssuer}, Got: ${params.iss}`)
+      }
+    }
+
+    // Note: RFC 9207 specifies iss SHOULD be present, but we don't enforce it
+    // for backward compatibility with authorization servers that don't support RFC 9207
+
+    return Promise.resolve(response)
+  }
+
   /**
    * validateResponseMode
    *