remove sub from access token introspection (#3354)

woutslakhorst · web-flow · commit 38e9aac9d89b · 2024-09-13T09:02:25.000+02:00
diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
@@ -410,7 +410,6 @@ func (r Wrapper) introspectAccessToken(input string) (*ExtendedTokenIntrospectio
 		Iat:                     &iat,
 		Exp:                     &exp,
 		Iss:                     &token.Issuer,
-		Sub:                     &token.Issuer,
 		ClientId:                &token.ClientId,
 		Scope:                   &token.Scope,
 		Vps:                     &token.VPToken,
diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
@@ -760,7 +760,6 @@ func TestWrapper_IntrospectAccessToken(t *testing.T) {
 			Iat:                     to.Ptr(int(tNow.Unix())),
 			Iss:                     to.Ptr("resource-owner"),
 			Scope:                   to.Ptr("test"),
-			Sub:                     to.Ptr("resource-owner"),
 			Vps:                     &[]VerifiablePresentation{presentation},
 			PresentationSubmissions: to.Ptr(presentationSubmissions),
 			PresentationDefinitions: to.Ptr(presentationDefinitions),
diff --git a/auth/api/iam/generated.go b/auth/api/iam/generated.go
diff --git a/docs/_static/auth/v2.yaml b/docs/_static/auth/v2.yaml
@@ -594,10 +594,6 @@ components:
           type: string
           description: Contains the DID of the authorizer. Should be equal to 'sub'
           example: did:web:example.com:resource-owner
-        sub:
-          type: string
-          description: Contains the DID of the resource owner
-          example: did:web:example.com:resource-owner
         aud:
           type: string
           description: RFC7662 - Service-specific string identifier or list of string identifiers representing the intended audience for this token, as defined in JWT [RFC7519].
diff --git a/e2e-tests/browser/client/iam/generated.go b/e2e-tests/browser/client/iam/generated.go
diff --git a/e2e-tests/browser/openid4vp_employeecredential/main_test.go b/e2e-tests/browser/openid4vp_employeecredential/main_test.go
@@ -88,8 +88,6 @@ func Test_UserAccessToken_EmployeeCredential(t *testing.T) {
 	// Note to reviewer: audience is empty?
 	require.Equal(t, "https://nodeB/oauth2/"+subjectRequester, *tokenInfo.ClientId)
 	require.Equal(t, "https://nodeA/oauth2/"+subjectVerifier, *tokenInfo.Iss)
-	// Note to reviewer: is "sub" right?
-	require.Equal(t, "https://nodeA/oauth2/"+subjectVerifier, *tokenInfo.Sub)
 	require.NotEmpty(t, tokenInfo.Exp)
 	require.NotEmpty(t, tokenInfo.Iat)
 	// Check the mapped input descriptor fields: for organization credential and employee credential
