Raise on blank REQUIRED ID Token claims instead of dropping them

55728 · 55728 · commit cf166e65a8d7 · 2026-06-15T21:35:03.000+09:00
OIDC Core 1.0 §2 lists iss/sub/aud/exp/iat as REQUIRED. IdToken#as_json
rejected nil/empty values uniformly, so a blank REQUIRED claim was
silently omitted, producing a non-conformant ID Token. Raise the new
Errors::MissingRequiredClaim for those claims; OPTIONAL claims (nonce,
auth_time, custom) are still dropped when blank.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 - [#304] allow handle auth_time per grant
 - [#305] Document the `auth_time_from_access_token` config option in the README (per-grant `auth_time`), clarifying that it only affects the ID Token `auth_time` claim and not `max_age` enforcement
 - [#307] Fix `bundle exec rake server` for the test application
+- [#312] Raise `Errors::MissingRequiredClaim` instead of silently dropping a blank REQUIRED ID Token claim (`iss`/`sub`/`aud`/`exp`/`iat`) in `IdToken#as_json`, which previously could emit a non-conformant ID Token (OIDC Core 1.0 §2). OPTIONAL claims such as `nonce`/`auth_time` are still omitted when blank
 
 ## v1.10.1 (2026-06-03)
 
diff --git a/lib/doorkeeper/openid_connect/errors.rb b/lib/doorkeeper/openid_connect/errors.rb
@@ -12,6 +12,18 @@ def type
       # internal errors
       class InvalidConfiguration < OpenidConnectError; end
 
+      # Raised when a REQUIRED ID Token claim (OIDC Core §2: iss/sub/aud/exp/iat)
+      # resolves to a blank value, which would otherwise be silently dropped and
+      # produce a non-conformant ID Token.
+      class MissingRequiredClaim < OpenidConnectError
+        attr_reader :claim
+
+        def initialize(claim)
+          @claim = claim
+          super("Required ID Token claim `#{claim}` is missing or blank")
+        end
+      end
+
       class MissingConfiguration < OpenidConnectError
         def initialize
           super("Configuration for Doorkeeper OpenID Connect missing. Do you have doorkeeper_openid_connect initializer?")
diff --git a/lib/doorkeeper/openid_connect/id_token.rb b/lib/doorkeeper/openid_connect/id_token.rb
@@ -5,6 +5,10 @@ module OpenidConnect
     class IdToken
       include ActiveModel::Validations
 
+      # OIDC Core 1.0 §2 — these claims are REQUIRED in every ID Token, so they
+      # must never be silently dropped when blank.
+      REQUIRED_CLAIMS = %i[iss sub aud exp iat].freeze
+
       attr_reader :nonce
 
       def initialize(access_token, nonce = nil, expires_in = Doorkeeper::OpenidConnect.configuration.expiration)
@@ -31,7 +35,19 @@ def claims
       end
 
       def as_json(*_)
-        claims.reject { |_, value| value.nil? || value == "" }
+        claims.each_with_object({}) do |(key, value), result|
+          blank = value.nil? || value == ""
+
+          if blank
+            # A REQUIRED claim must never be silently omitted; surface the
+            # misconfiguration instead of issuing a non-conformant ID Token.
+            raise Errors::MissingRequiredClaim, key if REQUIRED_CLAIMS.include?(key)
+
+            next
+          end
+
+          result[key] = value
+        end
       end
 
       def as_jws_token
diff --git a/spec/lib/id_token_spec.rb b/spec/lib/id_token_spec.rb
@@ -191,14 +191,42 @@
   end
 
   describe "#as_json" do
-    it "returns claims with nil values and empty strings removed" do
-      allow(subject).to receive_messages(issuer: nil, subject: "", audience: " ")
+    let(:valid_claims) do
+      {
+        iss: "dummy",
+        sub: user.id.to_s,
+        aud: access_token.application.uid,
+        exp: 180,
+        iat: 60,
+        nonce: "123456",
+      }
+    end
+
+    it "removes OPTIONAL claims with nil or empty values" do
+      # nonce / auth_time and custom claims are OPTIONAL, so blanks are dropped
+      # while the REQUIRED claims remain present.
+      allow(subject).to receive(:claims).and_return(
+        valid_claims.merge(nonce: nil, auth_time: "", custom: " "),
+      )
 
       json = subject.as_json
 
-      expect(json).not_to include :iss
-      expect(json).not_to include :sub
-      expect(json).to include :aud
+      expect(json).not_to include :nonce
+      expect(json).not_to include :auth_time
+      expect(json).to include :iss, :sub, :aud, :exp, :iat, :custom
+    end
+
+    Doorkeeper::OpenidConnect::IdToken::REQUIRED_CLAIMS.each do |claim|
+      [nil, ""].each do |blank|
+        it "raises MissingRequiredClaim when the REQUIRED #{claim} claim is #{blank.inspect}" do
+          allow(subject).to receive(:claims).and_return(valid_claims.merge(claim => blank))
+
+          expect { subject.as_json }
+            .to raise_error(Doorkeeper::OpenidConnect::Errors::MissingRequiredClaim) do |error|
+              expect(error.claim).to eq(claim)
+            end
+        end
+      end
     end
   end
 
