Allow aud claim as array

Author: lcrilly

frontend.conf

@@ -11,6 +11,7 @@ log_format main_jwt '$remote_addr - $jwt_claim_sub [$time_local] "$request" $sta
 # JavaScript code for OpenID Connect
 js_include conf.d/openid_connect.js;
 js_set $requestid_hash hashRequestId;
+auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
 
 keyval_zone zone=opaque_sessions:1M state=conf.d/opaque_sessions.json timeout=1h; # CHANGE timeout to JWT/exp validity period
 keyval_zone zone=refresh_tokens:1M  state=conf.d/refresh_tokens.json  timeout=8h; # CHANGE timeout to refresh validity period

openid_connect.js

@@ -164,13 +164,14 @@ function hashRequestId(r) {
 
 function validateIdToken(r) {
     // Check mandatory claims
-    var required_claims = ["aud", "iat", "iss", "sub"];
+    var required_claims = ["iat", "iss", "sub"]; // aud is checked separately
     var missing_claims = [];
     for (var i in required_claims) {
         if (r.variables["jwt_claim_" + required_claims[i]].length == 0 ) {
             missing_claims.push(required_claims[i]);
         }
     }
+    if (r.variables.jwt_audience.length == 0) missing_claims.push("aud");
     if (missing_claims.length) {
         r.error("OIDC ID Token validation error: missing claim(s) " + missing_claims.join(" "));
         r.return(403);
@@ -186,8 +187,9 @@ function validateIdToken(r) {
     }
 
     // Audience matching
-    if (r.variables.jwt_claim_aud != r.variables.oidc_client) {
-        r.error("OIDC ID Token validation error: aud claim (" + r.variables.jwt_claim_aud + ") does not match configured $oidc_client (" + r.variables.oidc_client + ")");
+    var aud = r.variables.jwt_audience.split(",");
+    if (!aud.includes(r.variables.oidc_client)) {
+        r.error("OIDC ID Token validation error: aud claim (" + r.variables.jwt_audience + ") does not include configured $oidc_client (" + r.variables.oidc_client + ")");
         valid_token = false;
     }