Make "sub" claim optional

[nobleach]

While attempting to follow a short example on using JWKS based JWT auth, I ran into this error:

21:11:05.021 [nioEventLoopGroup-1-5] DEBUG i.m.s.t.j.v.SubjectNotNullJwtClaimsValidator - JWT must contain a subject ('sub' claim)
21:11:05.022 [nioEventLoopGroup-1-5] DEBUG i.m.s.t.b.BasicAuthTokenValidator - Error while trying to Base 64 decode: eyJhbG

Based on RFC-7519 (JWT standard), this is not the case. This field is optional. It appears this is handled here in micronaut-security. Should this restriction be relaxed?

[sdelamo]

It is possible to turn off sub validation with:

micronaut.security.token.jwt.claims-validators.subject-not-null=false

Expiration claim (exp) is optional as well and we enforce it.

I think it is a sensible default to validate both sub and exp.

Moreover, sub claims is used by default by :

AuthenticationJWTClaimsSetAdapter::getName as the username.

[nobleach]

While that is indeed possible, do you think it's the right thing to have to turn off validation for an optional field? I don't know the right answer, but I feel that it's not the best experience.

As a side note, I didn't know it was possible to turn this off until I saw the pull request a few days ago. It certainly helped me get around my issue, but I'm not sure what documentation I failed to read.

[graemerocher]

FWIW I am in agreement that from a user experience point of view this could use improving, hence +1 for the PR

[sdelamo]

I've added a claims validation section which should help

https://micronaut-projects.github.io/micronaut-security/latest/guide/index.html#claimsValidation

[nobleach]

Thank you so much! I sincerely appreciate the work on this.