1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

JWT aud claim does not allow string value as it should

Issue #98 resolved
Former user created an issue

The aud claim allows only array values.

In the specification of JWT it seems to have been a string before and in the latest spec it's an array but MAY also contain a single string value.

Currently Nimbus JWT (version 2.26) cannot generate a token with aud as string value, as it should. About parsing tokens I cannot tell whether it works for aud as string, but it should of course work as well as with generating tokens.

Comments (3)

  1. Connect2id OSS

    Hi,

    Are you having interop problems with another JWT library that cannot parse "aud" arrays?

    The JOSE+JWT library accepts both "aud" representations - string or string array:

    https://bitbucket.org/connect2id/nimbus-jose-jwt/src/0d5b12b4d4b84c822bec4af368b3bea5120cb310/src/test/java/com/nimbusds/jwt/JWTClaimsSetTest.java?at=master#cl-426

    When outputting a JSON object, the "aud" is however always represented as a string array. This should be the general behaviour according to the JWT spec; outputting a single string is treated as special case and is optional (notice the MAY):

    http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3

    In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value.  In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value.

    We'll consider outputting a single string in the special case if that would solve interop with other libraries that cannot handle arrays.

  4. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!