Audience parsing doesn't reject unexpected items

[joonas-fi]

Because there's no default: branch erroring out, I could smuggle any valid JSON there, like true, false, null, any number or an object.

jwt/claims.go

Line 69 in 1639fcf

switch data[0] {

They'll simply be discarded.

I don't know if there's security implications, might not because because header and payload are signed by the issuer, and any tampering would get detected. But since I can't for 100 % say it's a non-issue, I'd feel more comfortable rejecting the data that would get discarded otherwise.

WDYT?

[kataras]

Hello @joonas-fi,

This library doesn't perform any "aud" check, as it's already described on the jwt.io website. But I would love to do it so if that is critical for you. Keep in mind that you can perform your own checks against these claims, see TokenValidator.