-
-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow a list of valid audiences to be configured #205
Comments
I think the reason this wasn't implemented originally was based primarily on the typical use case. For instance, a normal JWT use case is for an identity provider (the issuer) to issue a token to a user that is valid for service A, service B, and service C. When service A receives a request containing the token, it doesn't care about whether or not service B or service C are in the list, only that it (service A) is in the list of audiences on the token. For that reason, I think most use cases only require validating that a single audience is in the list. |
@mark-adams We have a use case where identity provider issues tokens to different clients. We have a single API which authenticates via JWT and hence we need to absorb a list of audience. I will send a pull request regarding this feature later today. It would be helpful if you can merge it. |
…nfigured Added test cases to check if audience is provided a list.
A JWT token can contain multiple audiences.
But, it would be nice if you could also specify a list of valid audiences for
audience
injwt.decode()
.Example:
The text was updated successfully, but these errors were encountered: