Revert pull request #10 (multiple audiences) (#24)

Per #23, PR #10 (unreleased) made the authorization properties of Claims.Validate more relaxed. Given that people may have been relying on those authorization properties, we shouldn't make that change without a change in API surface or a major version bump.
go-jose · Nov 9, 2023 · c8399df · c8399df
1 parent ec819e9
commit c8399df
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 18 deletions.
diff --git a/jwt/validation.go b/jwt/validation.go
@@ -89,16 +89,11 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
 	}
 
 	if len(e.Audience) != 0 {
-		flag := false
 		for _, v := range e.Audience {
-			if c.Audience.Contains(v) {
-				flag = true
-				break
+			if !c.Audience.Contains(v) {
+				return ErrInvalidAudience
 			}
 		}
-		if !flag {
-			return ErrInvalidAudience
-		}
 	}
 
 	// validate using the e.Time, or time.Now if not provided

diff --git a/jwt/validation_test.go b/jwt/validation_test.go
@@ -44,17 +44,6 @@ func TestFieldsMatch(t *testing.T) {
 		assert.NoError(t, c.Validate(v))
 	}
 
-	claimsWithSingleAudience := Claims{
-		Issuer:   "issuer",
-		Subject:  "subject",
-		Audience: []string{"a1"},
-		ID:       "42",
-	}
-
-	for _, v := range valid {
-		assert.NoError(t, claimsWithSingleAudience.Validate(v))
-	}
-
 	invalid := []struct {
 		Expected Expected
 		Error    error