Empty subject not validated during login/consent

[westphahl]

Describe the bug
Hydra allows accepting a login request without giving a subject. Also the documentation lists the "subject" as non-required property in the "acceptLoginRequest" schema [0].

According to the discussion in [1] the subject can not be empty. This should be validated during login/consent.

[0] https://www.ory.sh/docs/hydra/sdk/api#schemaacceptloginrequest
[1] https://community.ory.sh/t/accepting-a-login-request-without-a-subject/891

To Reproduce
Steps to reproduce the behavior: Accept a login request without a subject.
This leads to the following error log:

INFO[4689] started handling request                      method=GET remote="172.17.0.1:34512" request="/oauth2/auth?response_type=code&client_id=test-client&redirect_uri=http%3A%2F%2Flocalhost&scope=openid+offline&state=iampredictable"
INFO[4689] completed handling request                    measure#http://localhost:4444.latency=160594 method=GET remote="172.17.0.1:34512" request="/oauth2/auth?response_type=code&client_id=test-client&redirect_uri=http%3A%2F%2Flocalhost&scope=openid+offline&state=iampredictable" status=302 text_status=Found took="160.594µs"
INFO[4689] started handling request                      method=GET remote="172.17.0.1:40588" request=/oauth2/auth/requests/login/ffa457cbd90543dca55ca98bef1d7858
INFO[4689] completed handling request                    measure#http://localhost:4444.latency=98857 method=GET remote="172.17.0.1:40588" request=/oauth2/auth/requests/login/ffa457cbd90543dca55ca98bef1d7858 status=200 text_status=OK took="98.857µs"
INFO[4689] started handling request                      method=PUT remote="172.17.0.1:40588" request=/oauth2/auth/requests/login/ffa457cbd90543dca55ca98bef1d7858/accept
INFO[4689] completed handling request                    measure#http://localhost:4444.latency=96532 method=PUT remote="172.17.0.1:40588" request=/oauth2/auth/requests/login/ffa457cbd90543dca55ca98bef1d7858/accept status=200 text_status=OK took="96.532µs"
INFO[4689] started handling request                      method=GET remote="172.17.0.1:34512" request="/oauth2/auth?client_id=test-client&login_verifier=8263c914a70e46cf9072f3ad9bb9affc&redirect_uri=http%3A%2F%2Flocalhost&response_type=code&scope=openid+offline&state=iampredictable"
ERRO[4689] An error occurred                             debug="Failed to validate OpenID Connect request because session subject is empty." description="The authorization server encountered an unexpected condition that prevented it from fulfilling the request" error=server_error
INFO[4689] completed handling request                    measure#http://localhost:4444.latency=207280 method=GET remote="172.17.0.1:34512" request="/oauth2/auth?client_id=test-client&login_verifier=8263c914a70e46cf9072f3ad9bb9affc&redirect_uri=http%3A%2F%2Flocalhost&response_type=code&scope=openid+offline&state=iampredictable" status=302 text_status=Found took="207.28µs"

Expected behavior

• Hydra validates that the subject is given during login/consent.
• Documentation lists the subject as mandatory

Version:

• Environment: Docker
• Version v1.0.0-rc.6_oryOS.10

[aeneasr]

Thanks! Tracked as enhancement