Add optional skip_issuer parameter to IdToken.verify!

This is especially useful when using Microsoft Entra ID common
endpoint, as the issuer could be from another tenant.

When using this parameter it is recommended to set the audience as this
stays the same even if the issuer is from another tenant.

Related omniauth/omniauth_openid_connect#166
Closes nov#95

Author: bufferoverflow

lib/openid_connect/response_object/id_token.rb

@@ -21,9 +21,9 @@ def initialize(attributes = {})
         self.auth_time = auth_time.to_i unless auth_time.nil?
       end
 
-      def verify!(expected = {})
+      def verify!(expected = {}, skip_issuer = false)
         raise ExpiredToken.new('Invalid ID token: Expired token') unless exp.to_i > Time.now.to_i
-        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless iss == expected[:issuer]
+        raise InvalidIssuer.new('Invalid ID token: Issuer does not match') unless (iss == expected[:issuer] || skip_issuer == true)
         raise InvalidNonce.new('Invalid ID Token: Nonce does not match') unless nonce == expected[:nonce]
 
         # aud(ience) can be a string or an array of strings

spec/openid_connect/response_object/id_token_spec.rb

@@ -79,6 +79,18 @@
       end
     end
 
+    context 'when issuer is invalid and skip_issuer is set' do
+      it do
+        expect do
+          id_token.verify!({
+            issuer: 'invalid_issuer',
+            client_id: attributes[:aud]},
+            false
+          )
+        end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+
     context 'when issuer is missing' do
       it do
         expect do