Skip to content

Support multiple jwt audiences for oidc #977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 30, 2025
Merged

Support multiple jwt audiences for oidc #977

merged 7 commits into from
Jul 30, 2025
+63 −14

Conversation

lovasoa
Copy link
Collaborator

@lovasoa lovasoa commented Jul 28, 2025

Allow OIDC JWTs to contain multiple audiences to improve compatibility with various providers (e.g., ZITADEL, Azure AD).

Previously, SQLPage's OIDC validation strictly expected only the client ID in the aud claim. However, many OIDC providers include additional audiences, leading to "Invalid audiences" errors (GitHub issue #965). This PR leverages openidconnect's set_other_audience_verifier_fn to allow flexible audience validation, defaulting to a permissive mode that accepts additional audiences as long as the client ID is present, while also offering configurable strictness via oidc_additional_trusted_audiences.

Open in WebOpen in CursorOpen Docs

cursoragent and others added 2 commits July 28, 2025 23:06
@lovasoa lovasoa linked an issue Jul 28, 2025 that may be closed by this pull request
OIDC Login Fails with Zitadel – Invalid Audience #965
Closed
@lovasoa
Copy link
Collaborator Author

lovasoa commented Jul 28, 2025

@cursor review

cursor[bot]
cursor bot reviewed Jul 28, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no bugs!

Bugbot free trial expires on August 9, 2025
Learn more in the Cursor dashboard.

lovasoa added 2 commits July 29, 2025 22:59
@lovasoa
remive verbose docs
5a751ff
@lovasoa
Refactor OIDC audience verification logic
307243b 
The changes move audience verification into a dedicated type and improve
code organization around ID token verification.
@lovasoa lovasoa marked this pull request as ready for review July 30, 2025 11:52
@lovasoa lovasoa merged commit 2a13f62 into main Jul 30, 2025
9 checks passed
@lovasoa lovasoa deleted the cursor/support-multiple-jwt-audiences-for-oidc-d85b branch July 30, 2025 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC Login Fails with Zitadel – Invalid Audience
2 participants
@lovasoa @cursoragent