From f494c617908b9ef02472ec9836158cb76708774e Mon Sep 17 00:00:00 2001
From: Joshua Casey <joshuatcasey@gmail.com>
Date: Tue, 17 Jan 2023 11:58:03 -0600
Subject: [PATCH] additionalClaims claim should not be present when no sub
 claims are expected

Co-authored-by: Ryan Richard <richardry@vmware.com>
Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me>
---
 test/integration/supervisor_login_test.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index 5396ace0..ad1e7fca 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -2247,7 +2247,11 @@ func verifyTokenResponse(
 	require.ElementsMatch(t, wantDownstreamIDTokenGroups, idTokenClaims["groups"])
 
 	// Check the "additionalClaims" claim.
-	require.Equal(t, wantDownstreamIDTokenAdditionalClaims, idTokenClaims["additionalClaims"])
+	if len(wantDownstreamIDTokenAdditionalClaims) > 0 {
+		require.Equal(t, wantDownstreamIDTokenAdditionalClaims, idTokenClaims["additionalClaims"])
+	} else {
+		require.NotContains(t, idTokenClaims, "additionalClaims", "additionalClaims claim should not be present when no sub claims are expected")
+	}
 
 	// Some light verification of the other tokens that were returned.
 	require.NotEmpty(t, tokenResponse.AccessToken)