hafezdivandari
commented
10 hours ago Using "client credentials" grant, the client is the resource owner, so is the subject of the JWT token.
Open shades684 opened 16 hours ago
hafezdivandari
commented
10 hours ago Using "client credentials" grant, the client is the resource owner, so is the subject of the JWT token.
Since version 9 the client credentials grant fills the subject of the jwt token with the client identifier
On line 56 of League\OAuth2\Server\Grant\ClientCredentialsGrant the userIdentifier is set to null On line 107 of League\OAuth2\Server\Entities\Traits\AccessTokenTrait the SubjectIdentifier is therefor filled with de identifier of the client
When using the given jwt token: On line 132 of League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator the oauth_user_id is set to the value of sub (which is the subject identifier mentioned above)
The definition of sub says:
This value if used in Line 91 of League\Bundle\OAuth2ServerBundle\Security\Authenticator checks if sub should return a NullUser if we don't have a user, but now it doesn't and we get an error.
I expect the SubjectIdentifier of the AccessTokenTrait should be nullable and not return the client id in the subject if we have no user. I don't know if this has been done intentionally or my assumptions are correct.