From 4aa9cc6ef80090e2b1401c6dbb0d75ab313f48a4 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Thu, 7 Nov 2024 09:33:47 -0600
Subject: [PATCH] Drop extra check of matching sub claims

Don't want to introduce new behavior in this security fix
---
 .../AuthenticationSessionUserTokenStore.cs                 | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs b/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs
index fbf21a6..dc4d62b 100755
--- a/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs
+++ b/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs
@@ -70,13 +70,6 @@ public async Task<UserToken> GetTokenAsync(
                 return new UserToken() { Error = "No properties on authentication result" };
             }
 
-
-            // This "can't happen", but if it ever did, we would have a security problem
-            if (result.Principal.FindFirstValue(JwtClaimTypes.Subject) != user.FindFirstValue(JwtClaimTypes.Subject))
-            {
-                throw new InvalidOperationException("Mismatch between expected user identity and cached authenticate result");
-            }
-
             return _tokensInProps.GetUserToken(result.Properties, parameters);
         }