The subject field of grants needs to be a string, not an array.

jpadilla/pyjwt#1005
This was always in the jwt specification, but was not enforced in the jwt python library until recently.

Author: TomRitserveldt

src/delegate.py

@@ -104,12 +104,19 @@ def handler(event, context: LambdaContext) -> dict:
             if not domains.issubset(refresh_token['domains']):
                 return bad_request('', 'domain requested outside refresh_token')
 
+        # Validate no commas in subject or existing sub chain to avoid join ambiguity
+        if ',' in subject:
+            return bad_request('', 'subject contains invalid comma')
+        existing_sub = refresh_token.get('sub', [])
+        if any(',' in s for s in existing_sub if isinstance(s, str)):
+            return bad_request('', 'existing sub chain contains invalid comma')
+
         delegate_token = {
             'iat': int(time.time()),
             'exp': exp,
             'domains': list(domains),
             'azp': refresh_token['azp'],  # Authorized Party
-            'sub': refresh_token.get('sub', []) + [subject],  # subject
+            'sub': ', '.join(existing_sub + [subject]),  # sub must be string adhering to jwt spec: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
         }
         logger.info({"message": "Issuing JWT", "jwt": delegate_token})
         raw_delegate_token = jwt.encode(

src/use_grant.py

@@ -20,6 +20,7 @@ def handler(event, context) -> dict:
             raw_grant,
             get_grant_jwt_secret(),
             algorithms=['HS256'],
+            options={'require': [], 'verify_sub': False},  # Disable validation for now until sub field are all strings.
         )
         assert 'exp' in grant
         assert 'azp' in grant