Closed ydanneg closed 5 months ago
@ydanneg PR looks good and I will merge it.
I have some second thoughts because either with this PR or without it, we cannot enforce what specification requires.
iss: OPTIONAL (string). The value of this claim MUST be the client_id of the Client making the Credential request. This claim MUST be omitted if the access token authorizing the issuance call was obtained from a Pre-Authorized Code Flow through anonymous access to the token endpoint
In other words, client_id
is always required unless
The first condition could be tracked by the library, yet not the 2nd.
I will need some time to think about it. Perhaps clientId
could be nullable in config.
I will come back on this.
@ydanneg Thanks again for the fix
I merged it, leaving aside the considerations expressed in my previous comment, because I have the impression that in most cases the iss
is required. It is exceptional the case that it is has to be omitted
Fixes #137