Open mattmshell opened 1 year ago
Hi Matt, thanks for the comment.
It's true that we could relax the requirement and make the verification configurable. I will try to add such a feature shortly.
The two specifications that you quote are actually not at odds. The OIDC core spec defines the ID token, and there the sub
claim is required. In other JWTs, as defined in RFC 7519, sub
is not a required claim (e.g. JWT access tokens do not have to use that claim).
Thank you for this well designed and rational library. My IdP setup, PingID + Azure AD, issues access_tokens with the 'sub' claim. For example, I receive:
This results in the following failure to auth:
The specs on this claim are at odds with one another.
RFC 7519
OpenID Connect Core 1.0
Can this check be relaxed, or possibly the check made conditional via configuration?