mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-05 14:37:45 +00:00
3b140a67c8
# Which Problems Are Solved When the `openid` scope was not requested, as is possible in machine authentication, we didn't set the `sub` (subject) claim to tokens and possibly also userInfo and introspection. This fix always sets the `sub` claim for all cases. # How the Problems Are Solved Set the `Subject` field to regardless of passed scopes. # Additional Changes - none # Additional Context According to standards: - [RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure) this claim is **required**. - [RFC7667 - OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) the claim is optional, however there is no correlation to the `openid` or OpenID Connect. Therefore it doesn't harm to always return this claim. - [OpenID connect, User Info Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse): "The sub (subject) Claim **MUST** always be returned in the UserInfo Response." Closes https://github.com/zitadel/zitadel/issues/8591