search

pilcrowonpaper / oslo

A collection of auth-related utilities
https://oslo.js.org
MIT License
1.06k stars 35 forks source link

JWT `aud` Claim Does Not Match JWT Spec #14

Closed juriadams closed 9 months ago

juriadams commented 10 months ago

Upon reviewing the oslo module, I've found its features compelling and plan on integrating it into our production applications. However, I've noticed an inconsistency concerning the oslo/jwt not completely adhering to the JWT spec.

According to Section 4.1.3 of the spec, the aud claim should usually be an array of strings, although it can also be just a string.

Section 4.1.3 JWT Spec

Looking your library's source code, I noticed that it only supports string as the type of audience. Can you confirm if this was an intentional design decision?

If not, I am happy to contribute by making a PR to resolve this issue.

pilcrowonpaper commented 10 months ago

Oh, TIL! Yeah this wasn't intentional.

As for the implementation/fix, maybe we should make JWT.audience always be an array instead of string | string[] so you wouldn't need to check for the type

pilcrowonpaper commented 9 months ago

Fixed with 0.26.0