and only validate when present

panva · Jul 4, 2017 · cba06d7 · cba06d7
1 parent fd4ff95
commit cba06d7
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/lib/actions/authorization/decode_request.js b/lib/actions/authorization/decode_request.js
@@ -83,7 +83,10 @@ module.exports = (provider) => {
 
     if (alg !== 'none') {
       try {
-        const opts = { issuer: client.clientId, audience: provider.issuer };
+        const opts = {
+          issuer: payload.iss ? client.clientId : undefined,
+          audience: payload.aud ? provider.issuer : undefined,
+        };
         await JWT.verify(params.request, client.keystore, opts);
       } catch (err) {
         ctx.throw(400, 'invalid_request_object', {