Description "OidcTokenHandler" is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the "web-token/jwt-checker" library's "ClaimCheckerManager". "OidcTokenHandler::verifyClaims()" registers audience ("aud"), issuer ("iss"), and expiry ("exp") checkers, but never passes the "$mandatoryClaims" argument to "ClaimCheckerManager::check()". That method only validates claims that are present in the token: a checker for an absent claim is silently skipped. A validly-signed JWT that simply omits "aud", "iss", and "exp" therefore passes verification. Resolution The "OidcTokenHandler" now calls the "ClaimCheckerManager" with the list of mandatory claims so that tokens missing "aud", "iss", or "exp" are rejected. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/6b717aaac21b7e96798448d14c4355ea87690b3d) for branch 6.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.