Remote validation fails when the introspection endoint does not return sub claims

[guillaume-perreal]

Hello,

For development purpose, I'm using Gitlab as an OP. Gitlab provides opaque access tokens and its introspection endpoint does not return any sub-like claim (as allowed by the RFC7662 ; all claims but "active" are optional), so there is no way to get user info from this two sources alone. This causes mod_auth_openidc to fail to remotely validate Gitlab tokens, as described there.

Is anyone aware of a workaround ?

[zandbelt]

I don't see why you should not be able to use an OAuth 2.0 RS setup; how does it fail?