Allow a list of valid audiences to be configured

[jobec]

A JWT token can contain multiple audiences.

But, it would be nice if you could also specify a list of valid audiences for audience in jwt.decode().

Example:

options = {
    'verify_signature': True,
    'verify_exp': True,
    'verify_nbf': True,
    'verify_iat': True,
    'verify_aud': True,
    'verify_iss': True,
    'require_exp': False,
    'require_iat': False,
    'require_nbf': False
}

payload = jwt.decode(
    jwt_value,
    key=self._public_key,
    verify=True,
    audience=["audience_1", "audience_2"],
    issuer="SomeIssuer",
    options=options,
)

[mark-adams]

I think the reason this wasn't implemented originally was based primarily on the typical use case.

For instance, a normal JWT use case is for an identity provider (the issuer) to issue a token to a user that is valid for service A, service B, and service C. When service A receives a request containing the token, it doesn't care about whether or not service B or service C are in the list, only that it (service A) is in the list of audiences on the token.

For that reason, I think most use cases only require validating that a single audience is in the list.

[codervinod]

@mark-adams We have a use case where identity provider issues tokens to different clients. We have a single API which authenticates via JWT and hence we need to absorb a list of audience. I will send a pull request regarding this feature later today. It would be helpful if you can merge it.