Cross-chain compatibility???

[nanaknihal]

The underlying problem is that if someone's web2 JWT is on another chain, somebody can steal it and then put it on this chain, which will verify it, as it doesn't check the 'aud' claim.

There are a few options.

1. (Not my favorite option) Have one 'aud' per chain. Check the 'aud' claim of the JWT and make sure it belongs to your chain. Checking aud claims can be done efficiently using the sandwiching we use for extracting credentials. The problem is that it centralizes who can provide the tokens -- only the app listed in the aud claim.
2. Oracles for cross-chain data. Before saving credentials, check that the credentials don't exist on any other chain that WTF is on.
3. Something like the Lit protocol's signing of cross-chain smart contract calls. The difficult part is their signature is BLS, and verifying a BLS JWT may be tough on-chain

[nanaknihal]

We're going with 1.

It's not much more centralized and it's actually far more secure. We want to validate "aud" claims anyway to make sure tokens didn't come from an insecure site.

On that note, it wouldn't hurt to also check the exp and iss claims. Checks of these and the aud claims are required by the openid specifications