- changed status to open
Allow Issuer and subject in client JWT assertion to be different
Hi all,
currently it is required that if a client assertion is used for JWT client authentication, that the issuer and subject are the same. See: JWTAuthentication.java class line 105 https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/2e2df4943a09372051e0c01bc97342455ca90758/src/main/java/com/nimbusds/oauth2/sdk/auth/JWTAuthentication.java#lines-105
However, there is no such requirement in the standard https://datatracker.ietf.org/doc/html/rfc7523#section-2.2
In our use case the issuer would be the OIDC server the created the assertion and the subject would be the client id.
Similar issue to: https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/437
Best Regards, Patrick Firnkes
Comments (4)
-
-
- changed status to resolved
-
Released in
version 9.42 (2022-09-01)
Happy coding!
-
Thanks a lot.
- Log in to comment
Thanks for the report Patrick. This will be addressed now.