connect2id / OAuth 2.0 SDK with OpenID Connect extensions / issues / #393 - Allow Issuer and subject in client JWT assertion to be different — Bitbucket

Issue #393 resolved

Former user created an issue 2022-06-23

Hi all,

currently it is required that if a client assertion is used for JWT client authentication, that the issuer and subject are the same. See: JWTAuthentication.java class line 105 https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/2e2df4943a09372051e0c01bc97342455ca90758/src/main/java/com/nimbusds/oauth2/sdk/auth/JWTAuthentication.java#lines-105

However, there is no such requirement in the standard https://datatracker.ietf.org/doc/html/rfc7523#section-2.2

In our use case the issuer would be the OIDC server the created the assertion and the subject would be the client id.

Similar issue to: https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/437

Best Regards, Patrick Firnkes

Comments (4)

Yavor Vasilev
- changed status to open
Thanks for the report Patrick. This will be addressed now.
- 2022-09-01T09:04:17+00:00
Yavor Vasilev
- changed status to resolved
Updated: d3336b2ec990a61b6a6eb926bf67b6f9d58445f1
- 2022-09-01T10:10:47+00:00
Yavor Vasilev
Released in version 9.42 (2022-09-01)

Happy coding!
- 2022-09-01T10:12:09+00:00
Deniz Husaj
Thanks a lot.
- 2022-09-01T10:29:59+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Milestone: –

Votes: 1

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!