jwt: use AnyAudience matching #81

jsha · 2023-12-12T00:18:00Z

Previously, the Expected.Audience field meant "all of these audiences must be present in the token." But that doesn't really make sense with the spec:

https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3

Instead, rename the field to AnyAudience and changes its semantics to mean "there must be an intersection between this set and the set of audiences in the token."

Re-land of #10 on the main (v4) branch. Followup of #23 and #24. cc @shnmorimoto

Previously, the `Expected.Audience` field meant "all of these audiences must be present in the token." But that doesn't really make sense with the spec: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 Instead, rename the field to `AnyAudience` and changes its semantics to mean "there must be an intersection between this set and the set of audiences in the token."

beautifulentropy · 2023-12-12T17:47:54Z

jwt/validation.go

+	if len(e.AnyAudience) != 0 {
+		var intersection bool
+		for _, v := range e.AnyAudience {
+			if c.Audience.Contains(v) {
+				intersection = true
+				break
 			}
 		}
+
+		if !intersection {
+			return ErrInvalidAudience
+		}


If we're on >= go1.21 we could also do:

if len(e.AnyAudience) != 0 && !slices.Contains(c.Audience, e.AnyAudience...) { return ErrInvalidAudience }

beautifulentropy approved these changes Dec 12, 2023

View reviewed changes

jsha merged commit 7c8ceda into main Dec 12, 2023
3 checks passed

jsha deleted the multi-audience branch December 12, 2023 18:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

jwt: use AnyAudience matching #81

jwt: use AnyAudience matching #81

jsha commented Dec 12, 2023

beautifulentropy Dec 12, 2023

jwt: use AnyAudience matching #81

jwt: use AnyAudience matching #81

Conversation

jsha commented Dec 12, 2023

beautifulentropy Dec 12, 2023

Choose a reason for hiding this comment