Allow JWT_DECODE_AUDIENCE to be an array

[styk-tv]

Hi. I have spent much time with your library and I use it a lot including for verification of outside OIDC issued tokens. I would like to propose JWT_DECODE_AUDIENCE to be an array so token verify would allow verification from multiple audiences.

Scenarios. Identity Clients accessing API:

• CLI tool could be one consumer (direct grant)
• Web client could be second consumer (implicit flow)
• Web developer running on localhost could be third consumer (client has different redirects)

All issued by same provider, all valid. Only difference is each client has a different AUDience. It seems an a common practice to allow multiple audiences to be allowed to be verified in api. auth0/node-jsonwebtoken#4

So if I could do JWT_DECODE_AUDIENCE = ['ai.mysoft.web','ai.mysoft.cli','ai.mysoft.localhost'] that would be great. Does that make sense?

[styk-tv]

FROM: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

If you allow, I'd like to contribute oidc use example including autodiscovery and assembly of RSA public key from JWK endpoint data.

[vimalloc]

Yeah, aud should absolutely allow arrays, it was an oversight that wasn't caught when adding that feature. PyJWT already supports aud being an array, so all we need to do for this extension is update the config helper file, add the documentation, and write a unit test.

Would you be willing to submit a PR to add these features? If not, I can add them when I have a free moment, probably this weekend.

Thanks!

[vimalloc]

So it looks like an array can already be passed in JWT_DECODE_AUDIENCE, whatever is passed in there is forwarded directly to PyJWT behind the scenes. I've updated the documentation to make this clearer, and added a unit test to make sure that this functionality is never accidentally removed in future versions of this library.

Cheers 👍

[styk-tv]

@vimalloc as promised #222