access token validation should not require a sub claim

[sigratton]

The current implementation of jsonWebToken.verify enforces that a sub claim is present in the token. There is no notion of a sub claim in an access token that has been obtained via a client credentials flow, since it is designed for server to server interaction. Hence the BearerStrategy returns a 401 when presented with an token from client creds, because the jwt verify fails on line 170/171

I suggest the check on line 170 & 171 be removed. Happy to submit a PR.

[lovemaths]

@sigratton Thank you for pointing it out. jsonWebToken.verify is used to verify both id_token and access_token, so we cannot simply remove that line. We will make the changes to support the client credential token and let you know once the fix is ready.

[sigratton]

Thank you - I am happy to help with the fix if you let me know what you are thinking in terms of implementation. I assume you will let the bearer strategy provide some sort of configuration to jsonWebToken.verify Regards Simon.

…

On Tue, Aug 15, 2017 at 1:50 AM, Sijun Liu ***@***.***> wrote: @sigratton <https://github.com/sigratton> Thank you for pointing it out. jsonWebToken.verify is used to verify both id_token and access_token, so we cannot simply remove that line. We will make the changes to support the client credential token and let you know once the fix is ready. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#333 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/APjSzJs94USY_qmXZIhAme5MA0I2aVUjks5sYIjlgaJpZM4O1ZRz> .

[lovemaths]

@sigratton Yes that's right. Please take a look at my PR (#334), see if the change works for you. Thank you.

[lovemaths]

Closing since it is committed to dev branch.