retzkek
commented
3 years ago jwt has a WithAudience Validator, but it's just doing simple matching, while we need to be able to check for a specific aud OR one of the "wildcard" audiences - "ANY" for scitokens and "https://wlcg.cern.ch/jwt/v1/any" for WLCG tokens (these should be configurable).
The Enforcer needs to be able to validate that it's the token audience. New Validator and Enforcer method: