JWT validation missing aud validation #1042
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
Type: Enhancement
Milestone
The method
ValidateAsync
in GoogleJsonWebSignature.cs doesn't seem to check ifaud
value in the ID token is equal to user's app’s client ID as described in the third step here: https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken.Maybe the method should receive some sort of audience similar to how Java api's
GoogleIdTokenVerifier
does or is this intended to be done manually after validation using async method?The text was updated successfully, but these errors were encountered: