Skip to content

JwtClientAssertionDecoderFactory validiting iss claim against client id instead of issuer #2231

New issue
New issue
Open
Open
JwtClientAssertionDecoderFactory validiting iss claim against client id instead of issuer#2231
Labels
type: bugA general bug
@echijioke

Description

@echijioke
echijioke
opened on Nov 6, 2025

Describe the bug
When validating a JWT, the JwtClientAssertionDecoderFactory using it's DEFAULT_JWT_VALIDATOR_FACTORY requires that the JWT iss claim string must equal the client Id of the registered client, rather than equal the issuer of the registered client

This happens in this code in JwtClientAssertionDecoderFactory.java:

	private static Function<RegisteredClient, OAuth2TokenValidator<Jwt>> defaultJwtValidatorFactory() {
		return (registeredClient) -> {
			String clientId = registeredClient.getClientId();
			return new DelegatingOAuth2TokenValidator<>(new JwtClaimValidator<>(JwtClaimNames.ISS, clientId::equals),
	  ...
          ...
          ...			
          JwtTimestampValidator());
		};
	}

To Reproduce
Attempt to perform a client authentication using jwt client assertion with client_secret_jwt authentication method. The jwt validation will fail because the iss claim doesn't match the client id (I ight be missing something, but I can't image why it should).

Expected behavior
I would expect the jwt iss claim to be evaluated to match the registration client issuer, not the registered client id

Sample

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions