From c1730e7815a73bee592b2171a0fd8360f2fd1f71 Mon Sep 17 00:00:00 2001
From: Arno V <versini@gmail.com>
Date: Mon, 24 Jun 2024 21:40:25 +0200
Subject: [PATCH] fix: audience is now a required JWT claim for idToken (#24)

---
 packages/auth-provider/src/common/utilities.ts            | 8 ++++++--
 .../src/components/AuthProvider/AuthProvider.tsx          | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/packages/auth-provider/src/common/utilities.ts b/packages/auth-provider/src/common/utilities.ts
index caa1816..ab2c035 100644
--- a/packages/auth-provider/src/common/utilities.ts
+++ b/packages/auth-provider/src/common/utilities.ts
@@ -45,13 +45,17 @@ export const serviceCall = async ({ params = {} }: ServiceCallProps) => {
 	}
 };
 
-export const verifyAndExtractToken = async (token: string) => {
+export const verifyAndExtractToken = async (
+	token: string,
+	audience: string,
+) => {
 	try {
 		const alg = JWT.ALG;
 		const spki = JWT_PUBLIC_KEY;
 		const publicKey = await jose.importSPKI(spki, alg);
 		return await jose.jwtVerify(token, publicKey, {
 			issuer: JWT.ISSUER,
+			audience,
 		});
 	} catch (_error) {
 		return undefined;
@@ -79,7 +83,7 @@ export const authenticateUser = async ({
 				clientId,
 			},
 		});
-		const jwt = await verifyAndExtractToken(response.data.idToken);
+		const jwt = await verifyAndExtractToken(response.data.idToken, clientId);
 		if (jwt && jwt.payload[JWT.USER_ID_KEY] !== "") {
 			return {
 				idToken: response.data.idToken,
diff --git a/packages/auth-provider/src/components/AuthProvider/AuthProvider.tsx b/packages/auth-provider/src/components/AuthProvider/AuthProvider.tsx
index cddeb4a..b577f4a 100644
--- a/packages/auth-provider/src/components/AuthProvider/AuthProvider.tsx
+++ b/packages/auth-provider/src/components/AuthProvider/AuthProvider.tsx
@@ -41,7 +41,7 @@ export const AuthProvider = ({
 		if (previousIdToken !== idToken && idToken !== null) {
 			(async () => {
 				try {
-					const jwt = await verifyAndExtractToken(idToken);
+					const jwt = await verifyAndExtractToken(idToken, clientId);
 					if (jwt && jwt.payload[JWT.USER_ID_KEY] !== "") {
 						setAuthState({
 							isAuthenticated: true,
@@ -58,7 +58,7 @@ export const AuthProvider = ({
 				}
 			})();
 		}
-	}, [idToken, previousIdToken]);
+	}, [idToken, previousIdToken, clientId]);
 
 	const login = async (
 		username: string,