Default verification of "aud" claim does not comply to RFC

[alexacw]

Refer to https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3, the aud claims can either be string or a array of string, howevery here https://github.com/rib/jsonwebtokens/blob/74c3b776e689dd809a420013877f3158692ba9b5/src/verifier.rs#L181 force it to be a string only in any verification functions.

it should be a simple change tho, submitting this issue first anyway.

[rib]

Right, this should probably be updated to allow aud to be an array of strings.

Instead of having the VerifierBuilder::audience() utility build on string_equals it might also be good to have another kind of verifier api like contains_string() / VerifierKind::ContainsString that can be used to check that some string is contained within an array-or-single-string claim and then the VerifierBuilder::audience() api would build on that instead of string_equals.

My eyebrow is also highly-raised with that last "" in the vector of standard claims - I can't think atm why I would have put that there? hmm 🤨

[rib]

Hi @alexacw, sorry for a bit of delay with following up on this issue but I've just created some patches to address this and it would be great if you're able to cast an eye over the pull request here: https://github.com/rib/jsonwebtokens/pull/14 to see if the solution looks good / usable to you.

[rib]

I went ahead and merged the changes to resolve this issue