There is a security improvement for JWT (JSON Web Token), found within the recently published RFC9101 section 10.8

“One way that an attacker might attempt to repurpose a Request Object is to try to use it as a client authentication JWT, as described in Section 2.2 of [RFC7523]. A simple way to prevent this is to never use the client ID as the sub value in a Request Object.”

To minimize backwards compatibility impact, we have chosen not to present the client_id in the sub claim when Passing a Request Object by Value. A description of the correction can be found in the change log: SSO 8.9.3

Please find the SSO 8.9.3 patch at:

As with all software, Ubisecure would like to encourage you to upgrade your Identity Platform in a timely manner. Please contact your Integration Partner or Ubisecure Account Representative with any questions. Ubisecure encourages all customers to review and schedule service upgrade to this latest release. Bringing system flexibility, security, and new features to ensure the best user experience possible for your businesses is our goal.