jumbojett · samuelwei · Apr 29, 2025 · Apr 29, 2025 · May 8, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Check existence of subject when verifying JWT #474
+- Check existence of issuer before validating #477
 - exp verification when verifying Logout Token claims #482
 
 ## [1.0.1] - 2024-09-13

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -527,7 +527,7 @@ public function verifyLogoutTokenClaims($claims): bool
         }
 
         // Validate the iss
-        if (!$this->validateIssuer($claims->iss)) {
+        if (!isset($claims->iss) || !$this->validateIssuer($claims->iss)) {
             return false;
         }
         // Validate the aud
@@ -1213,7 +1213,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool
         }
         $auds = $claims->aud;
         $auds = is_array( $auds ) ? $auds : [ $auds ];
-        return (($this->validateIssuer($claims->iss))
+        return ((isset($claims->iss) && $this->validateIssuer($claims->iss))
             && (in_array($this->clientID, $auds, true))
             && ($claims->sub === $this->getIdTokenPayload()->sub)
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())

diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -63,6 +63,13 @@ public function getIdTokenPayload()
             'iss' => 'issuer',
         ]);
         self::assertFalse($valid);
+
+        # missing iss
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => 'client-id',
+            'sub' => 'sub',
+        ]);
+        self::assertFalse($valid);
     }
     public function testJWTDecode()
     {
@@ -373,6 +380,18 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                 ],
                 false
             ],
+            'invalid-no-iss' => [
+                (object)[
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sub' => 'fake-client-sub',
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                false
+            ],
         ];
     }