Reject tokens when claims has an aud, none expected

Keats / jsonwebtoken

JWT lib in rust

MIT License

1.62k stars 252 forks source link

Reject tokens when claims has an aud, none expected #332

Closed grahamc closed 9 months ago

grahamc commented 9 months ago

From the RFC:

Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Closes #329

Keats commented 9 months ago

Thanks. That's a breaking change so that would be released as v9

grahamc commented 9 months ago

Thanks, @Keats! Do you have a timeline or process for these sorts of things, or is it something that "just happens" from time to time? Just curious to set my own expectations.

Keats commented 9 months ago

Probably this week if i don't forget about it in the meantime

grahamc commented 9 months ago

Thank you greatly!