From 1c17c200971c7e1840f14f7e8218cf4321e09538 Mon Sep 17 00:00:00 2001
From: Tommie Gannert <tommie@gannert.se>
Date: Tue, 4 Oct 2022 12:15:07 +0200
Subject: [PATCH] Remove the check for claims_supported in OpenID Connect SSO.

This is speced as "not exhaustive" and "optional", which means it's
completely meaningless for standard claims.

* https://github.com/goauthentik/authentik/issues/3702
* https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
---
 clientapi/auth/sso/oidc.go | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/clientapi/auth/sso/oidc.go b/clientapi/auth/sso/oidc.go
index 7d00e457f..ec8d2300f 100644
--- a/clientapi/auth/sso/oidc.go
+++ b/clientapi/auth/sso/oidc.go
@@ -123,7 +123,6 @@ type oidcDiscovery struct {
 	TokenEndpoint         string   `json:"token_endpoint"`
 	UserinfoEndpoint      string   `json:"userinfo_endpoint"`
 	ScopesSupported       []string `json:"scopes_supported"`
-	ClaimsSupported       []string `json:"claims_supported"`
 }
 
 func oidcDiscover(ctx context.Context, url string) (*oidcDiscovery, error) {
@@ -167,14 +166,6 @@ func oidcDiscover(ctx context.Context, url string) (*oidcDiscovery, error) {
 		}
 	}
 
-	if disc.ClaimsSupported != nil {
-		for _, claim := range []string{"iss", "sub"} {
-			if !stringSliceContains(disc.ClaimsSupported, claim) {
-				return nil, fmt.Errorf("claim %q is not supported in %q", claim, url)
-			}
-		}
-	}
-
 	return &disc, nil
 }