feat: verify existence of subject when verifying JWT (#474)

* Add check to verify sub is set

* Update CHANGELOG.md

* Add tests

Author: samuelwei

CHANGELOG.md

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Stop adding ?schema=openid to userinfo endpoint URL. #449
 
+### Fixed
+- Check existence of subject when verifying JWT #474
+
 ## [1.0.1] - 2024-09-13
 
 ### Fixed

src/OpenIDConnectClient.php

@@ -1191,6 +1191,11 @@ protected function validateIssuer(string $iss): bool
      */
     protected function verifyJWTClaims($claims, ?string $accessToken = null): bool
     {
+        // Verify that sub is set
+        if (!isset($claims->sub)) {
+            return false;
+        }
+	    
         if(isset($claims->at_hash, $accessToken)) {
             if(isset($this->getIdTokenHeader()->alg) && $this->getIdTokenHeader()->alg !== 'none') {
                 $bit = substr($this->getIdTokenHeader()->alg, 2, 3);

tests/OpenIDConnectClientTest.php

@@ -48,6 +48,21 @@ public function getIdTokenPayload()
             'sub' => 'sub',
         ]);
         self::assertFalse($valid);
+
+        # sub not matching
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+            'sub' => 'sub-invalid',
+        ]);
+        self::assertFalse($valid);
+
+        # sub missing
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+        ]);
+        self::assertFalse($valid);
     }
     public function testJWTDecode()
     {