skip iss claim validation for Azure AD access tokens

[MonsieurRz]

Hello,
I got access_token rejected seemingly because of the non-matching iss value (it's azure).
When I change validate.iss for "skip", I log successfully.

[Fri Aug 02 12:18:31.778682 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(948): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_verify_jwk: cjose_jws_verify returned true [Fri Aug 02 12:18:31.778690 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(961): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_verify_jwk: leave: rc=1 [Fri Aug 02 12:18:31.778708 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1329): [client XX.XXX.XX.XX:YYYYY] oauth2_jose_jwt_verify: got plaintext (len=794): {"aud":"https://xxxxxx.xxxxx xxx.xxx","iss":"https://sts.windows.net/xxxxx-xxxxx-xxxx-xxxx/","iat":1722592222,"nbf":1722592222,"exp":1722597379,"acr":"1","aio":"xxxxxxxxxxxxxx 3LNRufGgHSr0hZ9j83R+QMav1Ofy84g/4YP9raodFPuxYJTs+sNUqp6X0=","amr":["pwd","mfa"],"appid":"xxxx-xxxxx-xxx-xxx-xxxx","appidacr":"0","ipaddr":"xxxxxxxx","name":"xx xx","oid":"xx-xx -xx-xx-xx","rh":"0.xxxx-xxxx-xxxxxx.","scp":"plw","sub":"xxxxx-xxxxxxx","tid":"xxxxxxxx-xxxxx-xxxxx-xxxxxxxxx","unique_name": "xxxx","upn":"xxxxx","uti":"lpwdBOWKW0-xxxxxx","ver":"1.0","xxxx":"xxxx"} [Fri Aug 02 12:18:31.778736 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1218): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_payload_validate: enter [Fri Aug 02 12:18:31.778744 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1052): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_validate_iss: enter: iss=https://login.microsoftonline.com/xxxxxxx/v2.0, validate=optional [Fri Aug 02 12:18:31.778755 2024] [oauth2:error] [pid 947603:tid 140568776668736] [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_validate_iss: requested issuer (https://login.microsoftonline.com/xxxxx/v2.0) does not match received "iss" value in id_token (https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-xxxxx/) [Fri Aug 02 12:18:31.778763 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1092): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_validate_iss: leave: 0 [Fri Aug 02 12:18:31.778773 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1244): [client XX.XXX.XX.XX:YYYYY] _oauth2_jose_jwt_payload_validate: leave: 0 [Fri Aug 02 12:18:31.778789 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/jose.c(1360): [client XX.XXX.XX.XX:YYYYY] oauth2_jose_jwt_verify: leave: 0 [Fri Aug 02 12:18:31.778814 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/oauth2.c(904): [client XX.XXX.XX.XX:YYYYY] oauth2_token_verify: leave: 0 [Fri Aug 02 12:18:31.778823 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/server/apache.c(368): [client XX.XXX.XX.XX:YYYYY] oauth2_apache_return_www_authenticate: enter [Fri Aug 02 12:18:31.778835 2024] [oauth2:debug] [pid 947603:tid 140568776668736] src/server/apache.c(460): [client XX.XXX.XX.XX:YYYYY] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="invalid_token", error_description="Token could not be verified."

[zandbelt]

yes, that is what Azure AD access tokens happen to require; optional means that the claims is not required to be present, but if it is present it must match (otherwise it would make no difference to skip)