v1.0.0 no longer can unmarshel a single audience from client credentials using CustomClaims

[lita]

Description

I believe the upgrade to 1.0.0 and the change from github.com/dgrijalva/jwt-go to github.com/form3tech-oss/jwt-go broke using Auth0's Client Credentials. We currently use this to do integration tests. The types have changed for StandardClaims for the audience field, going from string to []string, which makes the Bearer token returned from /oauth/token endpoint not useable.

Reproduction

curl --request POST \
  --url https://<<your app>>.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"<<YOUR ID>>","client_secret":"<<YOUR SECRET>>","audience":"https://<<your app>>.auth0.com/api/","grant_type":"client_credentials"}'

Passing that credential into the go-jwt-middleware library results in the error JWT Check failed. Error: Error parsing token: json: cannot unmarshal string into Go struct field CustomClaims.aud of type []string.

If I try to make the same call with multiple audiences or a single audience with an array "audience":["https://<>.auth0.com/api/"]) the curl call fails.

{"error":"invalid_request","error_description":"Invalid audience. Expected type 'string' but found type 'object'."}%

I also tried escaping ("audience":\["https://<<your app>>.auth0.com/api/"\]), but I get an invalid json error.

Environment

Please provide the following:

• Version of this library used: 1.0.0
• Version of the platform or framework used, if applicable: N/A
• Other relevant versions (language, server software, OS, browser): N/A
• Other modules/plugins/libraries that might be involved: github.com/form3tech-oss/jwt-go

[grounded042]

Hey @lita, thanks for reaching out about this issue. #72 is tracking this issue and several community members have posted their workarounds there. Long term we are not planning on support jwt-go in this package and are looking to have a better solution in v2.

[lita]

Hey @grounded042, I did take a look at #72 but that seems to be describing a different issue, where there are multiple audiences. This issue pertains to having a single audience (with the audience not contained in an array, in which StandardClaims fails to get marshaled. And it doesn't seem like I can convert an audience to an array via hooks in Auth0.

Maybe I missed something?

[lita]

It seems like the functionality still works with using MapClaims. So I guess I can workaround this to use MapClaims for now. But it would be great to be able to use StandardClaims and CustomClaims in the future.

[grounded042]

Ahh, gotcha. That's my mistake in my read through of your issue - sorry!

If using MapClaims for now works that's great! As I mentioned we're planning on dropping support for jwt-go in v2 and hopefully the new package will work much better for you.

[lita]

@grounded042 is there a way for Auth0 to take in multiple audiences for client credentials when creating the bearer token?

[grounded042]

@grounded042 is there a way for Auth0 to take in multiple audiences for client credentials when creating the bearer token?

@lita does this answer your question? https://community.auth0.com/t/multiple-audiences-in-an-access-token/21945/4

If not, let me know and I can dig in a bit more.

[lita]

Yeah this does answer my question. I actually ended up downgrading, as there is no way to support both single audiences with access tokens and multiple audiences with oauth tokens in the same code path with the 1.0.0 change.

[grounded042]

I'm sorry about that! With the next versions and beyond our versioning should be a in a good state so breaking changes like that do not happen.

[sergiught]

We just released the v2.0.0-beta 🥳 !

You can start testing it by running go get github.com/auth0/go-jwt-middleware/v2@v2.0.0-beta.

In case of issues fetching the v2 you might want to try go clean --modcache first before doing go get.

I'm closing this issue as now this is part of v2, but feel free to reopen if needed.