JWT aud claim does not allow string value as it should
Issue #98
resolved
The aud claim allows only array values.
In the specification of JWT it seems to have been a string before and in the latest spec it's an array but MAY also contain a single string value.
Currently Nimbus JWT (version 2.26) cannot generate a token with aud as string value, as it should. About parsing tokens I cannot tell whether it works for aud as string, but it should of course work as well as with generating tokens.
Comments (3)
-
-
- changed status to open
-
- changed status to resolved
Done in commit c080ecd.
- Log in to comment
Hi,
Are you having interop problems with another JWT library that cannot parse "aud" arrays?
The JOSE+JWT library accepts both "aud" representations - string or string array:
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/0d5b12b4d4b84c822bec4af368b3bea5120cb310/src/test/java/com/nimbusds/jwt/JWTClaimsSetTest.java?at=master#cl-426
When outputting a JSON object, the "aud" is however always represented as a string array. This should be the general behaviour according to the JWT spec; outputting a single string is treated as special case and is optional (notice the MAY):
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-4.1.3
We'll consider outputting a single string in the special case if that would solve interop with other libraries that cannot handle arrays.