From cf537566f3b3b0aad5244c06a5b6a3226bb59493 Mon Sep 17 00:00:00 2001
From: Ayomi <ayomi.igandan@hashicorp.com>
Date: Tue, 3 Feb 2026 15:13:43 +0000
Subject: [PATCH 1/2] fix unbounded split

---
 oidc/token.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oidc/token.go b/oidc/token.go
index a736d40..bce0f0a 100644
--- a/oidc/token.go
+++ b/oidc/token.go
@@ -172,7 +172,7 @@ func getTokenOpts(opt ...Option) tokenOptions {
 // UnmarshalClaims will retrieve the claims from the provided raw JWT token.
 func UnmarshalClaims(rawToken string, claims interface{}) error {
 	const op = "UnmarshalClaims"
-	parts := strings.Split(string(rawToken), ".")
+	parts := strings.SplitN(rawToken, ".", 3)
 	if len(parts) != 3 {
 		return fmt.Errorf("%s: malformed jwt, expected 3 parts got %d: %w", op, len(parts), ErrInvalidParameter)
 	}

From f031e835ea7f076f85c4065f564668adbaaa416f Mon Sep 17 00:00:00 2001
From: Ayomi <57097245+Ayomi-gh@users.noreply.github.com>
Date: Fri, 6 Feb 2026 17:45:49 +0000
Subject: [PATCH 2/2] Update oidc/token.go

Co-authored-by: Jim <jlambert@hashicorp.com>
---
 oidc/token.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oidc/token.go b/oidc/token.go
index bce0f0a..cd28ff8 100644
--- a/oidc/token.go
+++ b/oidc/token.go
@@ -172,7 +172,7 @@ func getTokenOpts(opt ...Option) tokenOptions {
 // UnmarshalClaims will retrieve the claims from the provided raw JWT token.
 func UnmarshalClaims(rawToken string, claims interface{}) error {
 	const op = "UnmarshalClaims"
-	parts := strings.SplitN(rawToken, ".", 3)
+	parts := strings.SplitN(rawToken, ".", 4)
 	if len(parts) != 3 {
 		return fmt.Errorf("%s: malformed jwt, expected 3 parts got %d: %w", op, len(parts), ErrInvalidParameter)
 	}