ctron · ctron · Jan 26, 2024 · Jan 23, 2024 · Jan 23, 2024 · Jan 23, 2024
diff --git a/src/agent/client/openid.rs b/src/agent/client/openid.rs
@@ -39,6 +39,7 @@ pub struct OpenIdClient {
     end_session_url: Option<Url>,
     after_logout_url: Option<String>,
     post_logout_redirect_name: Option<String>,
+    valid_audiences: Vec<String>,
 }
 
 /// Additional metadata read from the discovery endpoint
@@ -100,14 +101,22 @@ impl Client for OpenIdClient {
 
         let after_logout_url = config.additional.after_logout_url;
 
-        let client =
-            CoreClient::from_provider_metadata(metadata, ClientId::new(config.client_id), None);
+        let client = CoreClient::from_provider_metadata(
+            metadata,
+            ClientId::new(config.client_id.clone()),
+            None,
+        );
+        let valid_audiences = config
+            .additional
+            .valid_audiences
+            .unwrap_or(vec![config.client_id.clone()]);
 
         Ok(Self {
             client,
             end_session_url,
             after_logout_url,
             post_logout_redirect_name: config.additional.post_logout_redirect_name,
+            valid_audiences,
         })
     }
 
@@ -178,7 +187,7 @@ impl Client for OpenIdClient {
         let claims = Rc::new(
             id_token
                 .clone()
-                .into_claims(&self.client.id_token_verifier(), &Nonce::new(state.nonce))
+                .into_claims(&self.client.id_token_verifier().set_other_audience_verifier_fn(|aud| self.valid_audiences.contains(aud)), &Nonce::new(state.nonce))
                 .map_err(|err| {
                     OAuth2Error::LoginResult(format!("failed to verify ID token: {err}"))
                 })?,

diff --git a/src/agent/config.rs b/src/agent/config.rs
@@ -10,6 +10,7 @@ pub struct AgentConfiguration<C: Client> {
     pub grace_period: Duration,
     pub audience: Option<String>,
     pub options: Option<LoginOptions>,
+    pub valid_audiences: Option<Vec<String>>,
 }
 
 impl<C: Client> PartialEq for AgentConfiguration<C> {

diff --git a/src/components/context/mod.rs b/src/components/context/mod.rs
@@ -34,6 +34,9 @@ pub struct Props<C: Client> {
     #[prop_or_default]
     pub audience: Option<String>,
 
+    #[prop_or_default]
+    pub valid_audiences: Option<Vec<String>>,
+
     /// Children which will have access to the [`OAuth2Context`].
     #[prop_or_default]
     pub children: Children,
@@ -134,8 +137,9 @@ impl<C: Client> OAuth2<C> {
             config: props.config.clone(),
             scopes: props.scopes.clone(),
             grace_period: props.grace_period,
-            audience: props.audience.clone(),
+            valid_audiences: props.valid_audiences.clone(),
             options: props.options.clone(),
+            audience: props.audience.clone(),
         }
     }
 }

diff --git a/src/config.rs b/src/config.rs
@@ -29,6 +29,7 @@ pub mod openid {
         /// The defaults to `post_logout_redirect_uri` for OpenID RP initiated logout.
         /// However, e.g. older Keycloak instances require this to be `redirect_uri`.
         pub post_logout_redirect_name: Option<String>,
+        pub valid_audiences: Option<Vec<String>>,
     }
 }