Handle when aud OIDC claim is an Array (#4584)

* Handle when `aud` OIDC claim is an Array The `aud` claim of OIDC id_tokens [can be an array](ce6d694639/src/Claims.ts (L92)) but the existing logic incorrectly assumes `aud` is always a string. This PR adds the necessary check. * Clarify `aud` OIDC claim check * Fix for prettier --------- Co-authored-by: David Baker <dbkr@users.noreply.github.com>
2025-08-06 12:02:40 +03:00 · 2024-12-17 00:38:34 +13:00
parent 315e81b7de
commit 693bb22ba1
2 changed files with 19 additions and 1 deletions
--- a/src/oidc/validate.ts
+++ b/src/oidc/validate.ts
@@ -179,7 +179,8 @@ export const validateIdToken = (
         * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
         * EW: Don't accept tokens with other untrusted audiences
         * */
-        if (claims.aud !== clientId) {
+        const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
+        if (!sanitisedAuds.includes(clientId)) {
            throw new Error("Invalid audience");
        }