From a5a97f8f59a1f6b0f18ab5e8b0e917cf9b8c967a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eva=20M=C3=BCller?= <emueller@coremedia.com>
Date: Tue, 10 Sep 2024 09:33:27 +0200
Subject: [PATCH] Compare username based on ID strategy on token refresh

---
 src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
index 3cdf9cb4..6fd1d467 100644
--- a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
+++ b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -1516,7 +1516,7 @@ private boolean handleTokenRefreshResponse(
 
         String username = determineStringField(userNameFieldExpr, parsedIdToken, userInfo);
 
-        if (!expectedUsername.equals(username)) {
+        if (!User.idStrategy().equals(expectedUsername, username)) {
             httpResponse.sendError(
                     HttpServletResponse.SC_UNAUTHORIZED, "User name was not the same after refresh request");
             return false;