If we set multiple audience, we get the authentication error.

[shnmorimoto]

Describe the problem

When we set multiple audience and jwt only have one audience. then we got authentication error.

jwtValidator, err := validator.New(
    provider.KeyFunc,
    validator.RS256,
    issuerURL.String(),
    []string{"aaaaaa", "bbbbbb"},
)

jwt payload is like below

{
  "email": "user@example.com",
  "email_verified": true,
  "iss": "xxxxxxxxxxxxxxxx",
  "sub": "xxxxxxxxxxxxxxxx",
  "aud": "aaaaaa",
  "iat": 1648000756,
  "exp": 1648036756
}

error is like below.

2022/03/23 08:08:42 Encountered error while validating JWT: jwt invalid: expected claims not validated: square/go-jose/jwt: validation failed, invalid audience claim (aud)

if we set only 1 audience. then we get success authentication

What was the expected behavior?

In my understanding, if one of the audiences we set matches one of the client-side audiences, the authentication should succeed.

My understanding is correct?

Reproduction

1. set multiple audience in validator.New.
2. send jwt with one audience

please see Describe the problem

Environment

Version of go-jwt-middleware used: v2.0.1

[fschoell]

Ran into the same issue, seems like this is coming from the jwt library that does the claim validation. They already have an issue open for this, but not a lot of response there from the maintainers: https://github.com/square/go-jose/issues/286

Unfortunately they also don't use go modules, so it's difficult to replace it with a fork.

[truescotian]

There is a fix here: https://github.com/go-jose/go-jose/pull/10 it will just need to be updated in this repo

[sergiught]

Hey folks 👋🏻 this is now fixed within the v2.1.0 (release). Thanks for your patience!