nov · bufferoverflow · Jul 7, 2024
diff --git a/lib/openid_connect/response_object/id_token.rb b/lib/openid_connect/response_object/id_token.rb
@@ -21,9 +21,9 @@ def initialize(attributes = {})
         self.auth_time = auth_time.to_i unless auth_time.nil?
       end
 
-      def verify!(expected = {})
+      def verify!(expected = {}, skip_issuer = false)
         raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
-        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
+        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless (iss == expected[:issuer] || skip_issuer == true)
         raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
 
         # aud(ience) can be a string or an array of strings

diff --git a/spec/openid_connect/response_object/id_token_spec.rb b/spec/openid_connect/response_object/id_token_spec.rb
@@ -79,6 +79,18 @@
       end
     end
 
+    context 'when issuer is invalid and skip_issuer is set' do
+      it do
+        id_token.verify!(
+          {
+            issuer: 'some-issuer',
+            client_id: attributes[:aud],
+          },
+          true
+        ).should == true
+      end
+    end
+
     context 'when issuer is missing' do
       it do
         expect do