This repository has been archived by the owner on Aug 28, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 175
access token validation should not require a sub claim #333
Comments
@sigratton Thank you for pointing it out. jsonWebToken.verify is used to verify both id_token and access_token, so we cannot simply remove that line. We will make the changes to support the client credential token and let you know once the fix is ready. |
Thank you - I am happy to help with the fix if you let me know what you are
thinking in terms of implementation. I assume you will let the bearer
strategy provide some sort of configuration to jsonWebToken.verify
Regards
Simon.
…On Tue, Aug 15, 2017 at 1:50 AM, Sijun Liu ***@***.***> wrote:
@sigratton <https://github.com/sigratton> Thank you for pointing it out.
jsonWebToken.verify is used to verify both id_token and access_token, so we
cannot simply remove that line. We will make the changes to support the
client credential token and let you know once the fix is ready.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#333 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/APjSzJs94USY_qmXZIhAme5MA0I2aVUjks5sYIjlgaJpZM4O1ZRz>
.
|
lovemaths
added a commit
that referenced
this issue
Aug 15, 2017
lovemaths
changed the title
Client Credentials flow should not require a sub claim - jsonWebToken.js like 170
access token validation should not require a sub claim
Aug 15, 2017
@sigratton Yes that's right. Please take a look at my PR (#334), see if the change works for you. Thank you. |
lovemaths
added a commit
that referenced
this issue
Aug 17, 2017
Issue #333 jwt should not check sub for access token
Closing since it is committed to dev branch. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The current implementation of jsonWebToken.verify enforces that a sub claim is present in the token. There is no notion of a sub claim in an access token that has been obtained via a client credentials flow, since it is designed for server to server interaction. Hence the BearerStrategy returns a 401 when presented with an token from client creds, because the jwt verify fails on line 170/171
I suggest the check on line 170 & 171 be removed. Happy to submit a PR.
The text was updated successfully, but these errors were encountered: