Revision bb38bb350f571ca8864533bc952bdd1a40f6317f
Committed on 20/01/2025 3:43 am by
Antonio J. GarcĂa Lagar <aj@garcialagar.es> [GitHub Diff]
Fix client credentials
In `league/server-bundle` version `0.8`, when the client_credentials
grant is used, the `sub` claim of the JWT is an empty string, but in
version `0.9` is filled with the client ID.
In [Section 5](https://datatracker.ietf.org/doc/html/rfc9068#SecurityConsiderations)
of RFC9068, there is a recommendation to prevent the collision between `sub` claim values when the resource owner is either a client or a user.
So when client_id (derived from `aud[0]` claim) and user_id (derived from
`sub` claim) are equal, the resource owner must be a client.
