From 8b1488d36510265ff453512dbe00a5f299d6e104 Mon Sep 17 00:00:00 2001
From: Caranatar <caranatar@riseup.net>
Date: Mon, 6 Jul 2020 06:36:35 -0400
Subject: [PATCH] fix(alcoholic_jwt): Support multiple values in jwt audience
 claim

Per https://tools.ietf.org/html/rfc7519#section-4.1.3, the audience
claim can consist of either a single string or an array of strings.
The latter currently causes an error due to the type of aud in
PartialClaims.
---
 net/alcoholic_jwt/src/lib.rs | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/alcoholic_jwt/src/lib.rs b/net/alcoholic_jwt/src/lib.rs
index c98bee615..4acd8d1e9 100644
--- a/net/alcoholic_jwt/src/lib.rs
+++ b/net/alcoholic_jwt/src/lib.rs
@@ -356,11 +356,20 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> {
     }
 }
 
+/// Internal helper enum for PartialClaims that supports single or
+/// multiple audiences
+#[derive(Deserialize)]
+#[serde(untagged)]
+enum Audience {
+    Single(String),
+    Multi(Vec<String>)
+}
+
 /// Internal helper struct for claims that are relevant for claim
 /// validations.
 #[derive(Deserialize)]
 struct PartialClaims {
-    aud: Option<String>,
+    aud: Option<Audience>,
     iss: Option<String>,
     sub: Option<String>,
     exp: Option<u64>,
@@ -388,7 +397,12 @@ fn apply_validation(claims: &PartialClaims,
         Validation::Audience(aud) => {
             match claims.aud {
                 None => Err("'aud' claim is missing"),
-                Some(ref claim) => if *claim == aud {
+                Some(Audience::Single(ref claim)) => if *claim == aud {
+                    Ok(())
+                } else {
+                    Err("'aud' claim does not match")
+                },
+                Some(Audience::Multi(ref claims)) => if claims.contains(&aud) {
                     Ok(())
                 } else {
                     Err("'aud' claim does not match")
-- 
2.27.0