mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-16 04:48:04 +00:00
3b140a67c8
# Which Problems Are Solved When the `openid` scope was not requested, as is possible in machine authentication, we didn't set the `sub` (subject) claim to tokens and possibly also userInfo and introspection. This fix always sets the `sub` claim for all cases. # How the Problems Are Solved Set the `Subject` field to regardless of passed scopes. # Additional Changes - none # Additional Context According to standards: - [RFC9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure) this claim is **required**. - [RFC7667 - OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) the claim is optional, however there is no correlation to the `openid` or OpenID Connect. Therefore it doesn't harm to always return this claim. - [OpenID connect, User Info Response](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse): "The sub (subject) Claim **MUST** always be returned in the UserInfo Response." Closes https://github.com/zitadel/zitadel/issues/8591 |
||
---|---|---|
.. | ||
integration_test | ||
access_token.go | ||
amr_test.go | ||
amr.go | ||
auth_request_converter_test.go | ||
auth_request_converter_v2.go | ||
auth_request_converter.go | ||
auth_request.go | ||
client_converter.go | ||
client_credentials.go | ||
client.go | ||
device_auth.go | ||
error_test.go | ||
error.go | ||
introspect.go | ||
jwt-profile.go | ||
key_test.go | ||
key.go | ||
op.go | ||
server_test.go | ||
server.go | ||
token_client_credentials.go | ||
token_code.go | ||
token_device.go | ||
token_exchange_converter.go | ||
token_exchange.go | ||
token_jwt_profile.go | ||
token_refresh.go | ||
token.go | ||
userinfo_test.go | ||
userinfo.go |