mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 19:44:21 +00:00
3b140a67c8
# Which Problems Are Solved When the `openid` scope was not requested, as is possible in machine authentication, we didn't set the `sub` (subject) claim to tokens and possibly also userInfo and introspection. This fix always sets the `sub` claim for all cases. # How the Problems Are Solved Set the `Subject` field to regardless of passed scopes. # Additional Changes - none # Additional Context According to standards: - [RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure) this claim is **required**. - [RFC7667 - OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) the claim is optional, however there is no correlation to the `openid` or OpenID Connect. Therefore it doesn't harm to always return this claim. - [OpenID connect, User Info Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse): "The sub (subject) Claim **MUST** always be returned in the UserInfo Response." Closes https://github.com/zitadel/zitadel/issues/8591 |
||
|---|---|---|
| .. | ||
| integration_test | ||
| access_token.go | ||
| amr_test.go | ||
| amr.go | ||
| auth_request_converter_test.go | ||
| auth_request_converter_v2.go | ||
| auth_request_converter.go | ||
| auth_request.go | ||
| client_converter.go | ||
| client_credentials.go | ||
| client.go | ||
| device_auth.go | ||
| error_test.go | ||
| error.go | ||
| introspect.go | ||
| jwt-profile.go | ||
| key_test.go | ||
| key.go | ||
| op.go | ||
| server_test.go | ||
| server.go | ||
| token_client_credentials.go | ||
| token_code.go | ||
| token_device.go | ||
| token_exchange_converter.go | ||
| token_exchange.go | ||
| token_jwt_profile.go | ||
| token_refresh.go | ||
| token.go | ||
| userinfo_test.go | ||
| userinfo.go | ||