do not require token signature by default

leastprivilege · leastprivilege · commit eb763ae51702 · 2021-05-11T19:53:42.000+02:00
diff --git a/global.json b/global.json
@@ -1,6 +1,7 @@
 {
   "sdk": {
     "version": "5.0.100",
-    "rollForward": "latestMajor"
+    "rollForward": "latestMajor",
+    "allowPrerelease": false
   }
 }
diff --git a/src/OidcClient/Policy.cs b/src/OidcClient/Policy.cs
@@ -42,7 +42,7 @@ public class Policy
         /// <value>
         /// <c>true</c> if identity token must be signed; otherwise, <c>false</c>.
         /// </value>
-        public bool RequireIdentityTokenSignature { get; set; } = true;
+        public bool RequireIdentityTokenSignature { get; set; } = false;
 
         /// <summary>
         /// Gets or sets a value indicating whether the identity token issuer name should match.
diff --git a/test/JwtValidationTests/CodeFlowResponseTestsWithJwtValidation.cs b/test/JwtValidationTests/CodeFlowResponseTestsWithJwtValidation.cs
@@ -183,6 +183,7 @@ public async Task Valid_response_with_missing_signature_should_succeed()
         [Fact]
         public async Task Valid_response_with_missing_signature_should_fail()
         {
+            _options.Policy.RequireIdentityTokenSignature = true;
             var client = new OidcClient(_options);
             var state = await client.PrepareLoginAsync();
 

Original file line number	Diff line number	Diff line change
`@@ -183,6 +183,7 @@ public async Task Valid_response_with_missing_signature_should_succeed()`
`183`	`183`	`[Fact]`
`184`	`184`	`public async Task Valid_response_with_missing_signature_should_fail()`
`185`	`185`	`{`
	`186`	`+ _options.Policy.RequireIdentityTokenSignature = true;`
`186`	`187`	`var client = new OidcClient(_options);`
`187`	`188`	`var state = await client.PrepareLoginAsync();`
`188`	`189`