Open oberlage opened 1 year ago
Just to double-check: Are you sure you want to check against multiple expected audiences?
What WithAudience
does, it checks all supplied audience, whether one of them includes the expected one (or is equal to it, in the case of just one audience). Usually your application should define one expected audience (e.g., its own hostname or an application name or a similar semantic) and then check for that particular one. I am not so sure about what the semantics about multiple expected audiences would entail.
If there is a valid use case for it, I suppose we (or rather you ;) as part of a PR) could add the WithAudiences
parser option. Although there is probably a discussion then whether all expected audiences must match or any of them.
We tried to do the most basic functionality first in v5
and then see where we could add additional features that make sense.
@oxisto Would you still be open to accepting a PR for this feature?
Although there is probably a discussion then whether all expected audiences must match or any of them.
Perhaps the option could be configurable in this sense, e.g.
func WithAudiences(auds []string, matchAll bool) ParserOption {}
Having multiple audiences is beneficial when using Google OAuth, especially since we have different apps across web and mobile, each with its client ID (audience). The server endpoint needs to validate against these multiple audiences.
Source: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
Having multiple audiences is beneficial when using Google OAuth, especially since we have different apps across web and mobile, each with its client ID (audience). The server endpoint needs to validate against these multiple audiences.
Source: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
Ok, this could make sense. I would be open for a PR implementing this.
Would we extend the existing parameter to be a variaadic, or add another functional option?
Would we extend the existing parameter to be a variaadic, or add another functional option?
I think the best way would be the approach suggested before: func WithAudiences(auds []string, matchAll bool) ParserOption {}
Hi there,
I've just updated to
v5
and found that the newRegisteredClaims
(inregistered_claims.go
) struct allows for a[]string
type via theClaimStrings
type. This opens the way for verifying multiple audiences from the token.I'm very happy with this, as my authentication provider does provide multiple audiences and
v4
gave no option to verify these.However, the new
ParserOption
namedWithAudience(aud string)
and accompanyingvalidator
still only allows for a singlestring
audience to be verified.With RFC 7519 specifically mentioning multiple audiences, it does feel like something nice to support.
My questions are as follows:
ParserOption
calledWithAudiences(auds []string)
for the specific case of multiple audiences. This would not break the existingWithAudience(..)
and add functionality.Thanks in advance!