Lax validation when parts are not specified

[StummeJ]

There are a few places where the validation feels too strict.

1. Requiring an clientId is arbitrary when checking a token in an API and should be allowed to be skipped.

• https://github.com/okta/okta-jwt-verifier-php/blob/develop/src/JwtVerifierBuilder.php#L174-L181

2. Even when not setting an audience the check still fails due to the token having an audience. The engineer should be able to say they do not care about the audience. (this actually extends to all 3 checks)

• https://github.com/okta/okta-jwt-verifier-php/blob/develop/src/JwtVerifier.php#L132

[bretterer]

Hi @StummeJ. Thanks for the report here. Could you give me a little more information on what you are trying to do with these? As far as I can tell, the verifier is working this way as designed, however, I would love to hear your use case to see if we can find a solution to loosen up the restrictions here.

Would you be able to provide a code sample and use case for us to look into here?