Save sub or user_id if not provided; remove extemporaneous ID token attributes #469
Conversation
|
|
||
| // Populate legacy user_id property, if not provided. | ||
| if ( ! isset( $decoded_token->user_id ) ) { | ||
| $decoded_token->user_id = $decoded_token->sub; |
There was a problem hiding this comment.
why? if you ensure you always have a sub you can make your code rely on that.
There was a problem hiding this comment.
Again, standardizing between the two. Implicit has both and "make your code rely on that" is a little more involved than it might seem.
There was a problem hiding this comment.
If this targets a new major I'd argue that you should keep only 1. sub in this case, since it's what the standard uses. But since there shouldn't be breaking changes on this minor release, let's keep both. Just remember for the next one this should be changed.
| // Populate legacy userinfo property. | ||
| $decoded_token->user_id = $decoded_token->sub; | ||
| // Remove unneeded ID token attributes. | ||
| foreach ( array( 'iss', 'aud', 'iat', 'exp', 'nonce', 'clientID' ) as $attr ) { |
There was a problem hiding this comment.
what's the reason to remove them? how will you know if a token works for a given audience or if the token is still valid (without making a network request)?
There was a problem hiding this comment.
This is just saving userinfo, we don't use it as a token. I'm trying to get the information that we're saving to be more consistent between the two login flows. Also, this isn't saved as id_token so it's a bit confusing to use it as such.
joshcanhelp
changed the title
user_idandsubsaved for both login flows