verifyAudience compares the aud claim against cmp. If aud is not set or an empty list, it will succeed if the claim is not required, otherwise ErrTokenRequiredClaimMissing will be returned. Additionally, if any error occurs while retrieving the claim, e.g., when its the wrong type, an ErrTokenUnve
(claims Claims, cmp []string, expectAllAud bool)
| 235 | // Additionally, if any error occurs while retrieving the claim, e.g., when its |
| 236 | // the wrong type, an ErrTokenUnverifiable error will be returned. |
| 237 | func (v *Validator) verifyAudience(claims Claims, cmp []string, expectAllAud bool) error { |
| 238 | aud, err := claims.GetAudience() |
| 239 | if err != nil { |
| 240 | return err |
| 241 | } |
| 242 | |
| 243 | // Check that aud exists and is not empty. We only require the aud claim |
| 244 | // if we expect at least one audience to be present. |
| 245 | if len(aud) == 0 || len(aud) == 1 && aud[0] == "" { |
| 246 | required := len(v.expectedAud) > 0 |
| 247 | return errorIfRequired(required, "aud") |
| 248 | } |
| 249 | |
| 250 | if !expectAllAud { |
| 251 | for _, a := range aud { |
| 252 | // If we only expect one match, we can stop early if we find a match |
| 253 | if slices.Contains(cmp, a) { |
| 254 | return nil |
| 255 | } |
| 256 | } |
| 257 | |
| 258 | return ErrTokenInvalidAudience |
| 259 | } |
| 260 | |
| 261 | // Note that we are looping cmp here to ensure that all expected audiences |
| 262 | // are present in the aud claim. |
| 263 | for _, a := range cmp { |
| 264 | if !slices.Contains(aud, a) { |
| 265 | return ErrTokenInvalidAudience |
| 266 | } |
| 267 | } |
| 268 | |
| 269 | return nil |
| 270 | } |
| 271 | |
| 272 | // verifyIssuer compares the iss claim in claims against cmp. |
| 273 | // |