Nimbus JOSE JWT 预期观众声称是多个中的任何一个

Nimbus JOSE JWT expected audience claim to be any of a multiple

在验证 JWT 时,我有一个场景,即我有一个允许的客户端 ID 列表。我将客户 ID 作为观众声明放入 JWT,但在验证时我需要与列表进行比较。

我尝试了以下方法:

val allowedClients = listof("client1", "client2")
val validClaims= JWTClaimsSet.Builder()
        .issuer("myIssuer")
        .audience(allowedClients)
        .build()

val jwtProcessor: ConfigurableJWTProcessor<SecurityContext> = DefaultJWTProcessor()
jwtProcessor.jwsKeySelector = keySelector

jwtProcessor.jwtClaimsSetVerifier = DefaultJWTClaimsVerifier(
        //exact match claims
        validClaims,
        //Required claims
        HashSet(listOf("exp", "iss")))
jwtProcessor.jwsKeySelector = keySelector

但是,如果现在发布的 JWT 仅包含我正在执行的一个客户端 ID,则验证失败并显示

com.nimbusds.jwt.proc.BadJWTException: JWT aud claim has value [client2], must be [client1, client2]

我该怎么做才能让 Verifier 期望任何客户 ID 出现在观众声明中,而不是完整列表中?当然,另一种方法是在观众声明的开头添加一个客户 ID,但我想避免这种情况。

您可以在验证器中定义接受的受众。 (文档来自 nimbus-jose-jwt v9.20)

/**
 * Creates new default JWT claims verifier. The expiration ("exp") and
 * not-before ("nbf") claims will be checked only if they are present
 * and parsed successfully; add them to the required claims if they are
 * mandatory.
 *
 * @param acceptedAudience The accepted JWT audience values,
 *                         {@code null} if not specified. A
 *                         {@code null} value in the set allows JWTs
 *                         with no audience.
 * @param exactMatchClaims The JWT claims that must match exactly,
 *                         {@code null} if none.
 * @param requiredClaims   The names of the JWT claims that must be
 *                         present, empty set or {@code null} if none.
 * @param prohibitedClaims The names of the JWT claims that must not be
 *                         present, empty set or {@code null} if none.
 */
public DefaultJWTClaimsVerifier(final Set<String> acceptedAudience,
                final JWTClaimsSet exactMatchClaims,
                final Set<String> requiredClaims,
                final Set<String> prohibitedClaims) {