Do not update JWT authentication token audience

Author: sberyozkin

extensions/oidc-client/deployment/src/test/resources/application-oidc-client-credentials-jwt-secret.properties

@@ -1,7 +1,7 @@
 # Disable Dev Services, Keycloak is started by a Maven plugin
 quarkus.keycloak.devservices.enabled=false
 
-quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus4/
+quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus4
 quarkus.oidc.client-id=quarkus-app
 quarkus.oidc-client.client-enabled=false
 quarkus.oidc-client.jwt.auth-server-url=${quarkus.oidc.auth-server-url}

extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java

@@ -448,9 +448,7 @@ public static String signJwtWithKey(OidcClientCommonConfig oidcConfig, String to
                 .claims(additionalClaims(oidcConfig.credentials().jwt().claims()))
                 .issuer(oidcConfig.credentials().jwt().issuer().orElse(oidcConfig.clientId().get()))
                 .subject(oidcConfig.credentials().jwt().subject().orElse(oidcConfig.clientId().get()))
-                .audience(oidcConfig.credentials().jwt().audience().isPresent()
-                        ? removeLastPathSeparator(oidcConfig.credentials().jwt().audience().get())
-                        : tokenRequestUri)
+                .audience(oidcConfig.credentials().jwt().audience().orElse(tokenRequestUri))
                 .expiresIn(oidcConfig.credentials().jwt().lifespan()).jws();
         if (oidcConfig.credentials().jwt().tokenKeyId().isPresent()) {
             jwtSignatureBuilder.keyId(oidcConfig.credentials().jwt().tokenKeyId().get());

extensions/oidc-common/runtime/src/test/java/io/quarkus/oidc/common/runtime/OidcCommonUtilsTest.java

@@ -56,10 +56,37 @@ public void testJwtTokenWithScope() throws Exception {
         cfg.setClientId("client");
         cfg.credentials.jwt.claims.put("scope", "read,write");
         PrivateKey key = KeyPairGenerator.getInstance("RSA").generateKeyPair().getPrivate();
-        String jwt = OidcCommonUtils.signJwtWithKey(cfg, "http://localhost", key);
+        String jwt = OidcCommonUtils.signJwtWithKey(cfg, "http://some.service.com", key);
         JsonObject json = decodeJwtContent(jwt);
         String scope = json.getString("scope");
         assertEquals("read,write", scope);
+        assertEquals("http://some.service.com", json.getString("aud"));
+    }
+
+    @Test
+    public void testSignWithAudience() throws Exception {
+        OidcClientCommonConfig cfg = new OidcClientCommonConfig() {
+        };
+        cfg.setClientId("client");
+        cfg.credentials.jwt.audience = Optional.of("https://server.example.com");
+
+        PrivateKey key = KeyPairGenerator.getInstance("RSA").generateKeyPair().getPrivate();
+        String jwt = OidcCommonUtils.signJwtWithKey(cfg, "http://localhost", key);
+        JsonObject json = decodeJwtContent(jwt);
+        assertEquals("https://server.example.com", json.getString("aud"));
+    }
+
+    @Test
+    public void testSignWithAudienceTrailingSlash() throws Exception {
+        OidcClientCommonConfig cfg = new OidcClientCommonConfig() {
+        };
+        cfg.setClientId("client");
+        cfg.credentials.jwt.audience = Optional.of("https://server.example.com/");
+
+        PrivateKey key = KeyPairGenerator.getInstance("RSA").generateKeyPair().getPrivate();
+        String jwt = OidcCommonUtils.signJwtWithKey(cfg, "http://localhost", key);
+        JsonObject json = decodeJwtContent(jwt);
+        assertEquals("https://server.example.com/", json.getString("aud"));
     }
 
     public static JsonObject decodeJwtContent(String jwt) {