Merge pull request #78 from grafbase/gb-9034-multiple-audience

feat(jwt): Add support for multiple audiences in the configuration

Author: Finistere

Cargo.lock

@@ -5,5 +5,5 @@
   inputs,
   ...
 }: {
-  packages = [pkgs.git pkgs.rustup pkgs.openssl pkgs.cargo-nextest pkgs.taplo pkgs.protobuf];
+  packages = [pkgs.git pkgs.rustup pkgs.openssl pkgs.cargo-nextest pkgs.taplo pkgs.cargo-insta pkgs.protobuf];
 }

devenv.nix

@@ -1,5 +1,10 @@
 # Changelog
 
+## [1.1.0] - 2025-05-01
+
+- Support for an array in `audience` configuration.
+- Better configuration de-serialization errors.
+
 ## [1.0.0] - 2025-05-01
 
 - No changes.

extensions/jwt/CHANGELOG.md

@@ -32,7 +32,11 @@ url = "https://example.com/.well-known/jwks.json"
 # issuer = "example.com"
 
 # Expected `aud` claim. By default it is NOT validated.
+# If a list is provided, only one of those audience must match.
+# Note that `aud` claim can be an array in all cases in the JWT and only one of the `aud` claims
+# must match an audience defined here.
 # audience = "my-project"
+# audience = ["my-project", "my-other-name"]
 
 # How long the JWKS will be cached, in seconds.
 poll_interval = 60

extensions/jwt/README.md

@@ -1,6 +1,6 @@
 [extension]
 name = "jwt"
-version = "1.0.0"
+version = "1.1.0"
 kind = "authentication"
 description = "Restrict access to your graph with JWT"
 repository_url = "https://github.com/grafbase/extensions/tree/main/extensions/jwt"

extensions/jwt/extension.toml

@@ -7,7 +7,7 @@ pub(crate) struct Config {
     pub url: Url,
     pub poll_interval: Duration,
     pub issuer: Option<String>,
-    pub audience: Option<String>,
+    pub audience: Option<Vec<String>>,
     pub locations: Vec<Location>,
 }
 
@@ -57,12 +57,14 @@ impl<'de> serde::Deserialize<'de> for Config {
     }
 }
 
+#[serde_with::serde_as]
 #[derive(Debug, serde::Deserialize)]
 #[serde(deny_unknown_fields)]
 struct TomlConfig {
     url: Url,
     issuer: Option<String>,
-    audience: Option<String>,
+    #[serde_as(deserialize_as = "Option<serde_with::OneOrMany<_>>")]
+    audience: Option<Vec<String>>,
     #[serde(default = "default_poll_interval", deserialize_with = "deserialize_duration")]
     poll_interval: Duration,
     header_name: Option<String>,

extensions/jwt/src/config.rs

@@ -38,8 +38,8 @@ impl<'a> Decoder<'a> {
         }
 
         if let Some(expected) = self.config.audience.as_ref() {
-            let audience = token.claims().custom.audience.as_ref()?;
-            if audience.iter().all(|aud| aud != expected) {
+            let aud_claims = token.claims().custom.audience.as_ref()?;
+            if aud_claims.iter().all(|claim| !expected.contains(claim)) {
                 return None;
             }
         }

extensions/jwt/src/decoder.rs

@@ -9,6 +9,7 @@ pub const ISSUER: &str = "http://127.0.0.1:4444";
 pub const JWKS_URI: &str = "http://127.0.0.1:4444/.well-known/jwks.json";
 pub const AUDIENCE: &str = "integration-tests";
 pub const OTHER_AUDIENCE: &str = "other-audience";
+pub const THIRD_AUDIENCE: &str = "third-audience";
 const HYDRA_ADMIN_URL: &str = "http://127.0.0.1:4445";
 // Second provider
 pub const ISSUER_2: &str = "http://127.0.0.1:4454";
@@ -53,7 +54,7 @@ impl OryHydraOpenIDProvider {
                 access_token_strategy: Some("jwt".into()),
                 grant_types: Some(vec!["client_credentials".into()]),
                 // Allowed audiences
-                audience: Some(vec![AUDIENCE.into(), OTHER_AUDIENCE.into()]),
+                audience: Some(vec![AUDIENCE.into(), OTHER_AUDIENCE.into(), THIRD_AUDIENCE.into()]),
                 // Allowed scopes
                 scope: Some(format!("{READ_SCOPE} {WRITE_SCOPE}")),
                 ..ory_client::models::OAuth2Client::new()