I just curious abot how VeifyJWT policy verify the aud claim.
This is my aud claim in JWT
aud: [“urlA”, “urlB”]
And this my audiences that I use in policy
urlA,urlC
Is need to be entire match of just one of it match is fine ?
It need to match all of the
Hi,
The aud: key in the JWT allows for an array of audiences.
The JWT Policy’s tag accepts a String and is checking whether the single audience listed in the tag is included in the list of audiences described in “aud:”.
If you need to confirm 2 or more audiences are available in the JWT, you could use two JWT policies. Each would check for the specific audience. If either was not available in the “aud:” then it would fail, throwing an error.
Yes, you can use 2 policies; Two VerifyJWT policies will do the signature verification twice, which may be a performance issue at scale. Functionally, it will just work. But if you were high scale, you may see some additional latency that … isn’t desirable.
Another way to do this is to introduce a condition in the proxy flow, that just examines the decoded aud claim.
This is a bit unusual. At verification time, “aud” is usually construed to mean “the receiving party”. so the receiver is ONE AUDIENCE. And it should verify that the JWT is intended for IT. Which means, check ONE AUDIENCE. The JWT itself may have multiple audiences. But normally verifying a JWT will check ONE.
I suggest you re-check what you’re doing with verifying multiple audiences. Make sure that is what you ought to be doing.