Skip to content

ID token validation fails with tokens containing multiple audiences #383

New issue
New issue
Open
#382
Open
ID token validation fails with tokens containing multiple audiences#383
#382
Labels
Type/Bug
@dileepapeiris

Description

@dileepapeiris
dileepapeiris
opened on Mar 3, 2026

Description

ID token validation fails when tokens contain multiple audiences in the aud claim, causing users to be logged out prematurely before token expiration.

Problem

When an identity provider issues tokens with multiple audiences (e.g., ["client-id", "additional-audience"]), the SDK's validation fails because:

  • The token's aud claim is an array: ["client-id", "additional-audience"]
  • SDK passes audience: clientId (string) to jose.jwtVerify()
  • The jose library cannot match a string against an array
  • Validation fails and users are logged out during token validation

Root Cause

The SDK passes audience: clientId as a string to jose.jwtVerify(). When the token contains an array of audiences, jose cannot match the string against the array.

Current code:

audience: clientId  // String - fails with array audiences

Steps to Reproduce

  1. Configure an application with an identity provider that issues tokens with multiple audiences in the aud claim
  2. Sign in to the application using the SDK
  3. Observe that token validation fails
  4. User is logged out during token validation, before the token's natural expiration time

Expected: Token validation should succeed when clientId is present in the audience array, and users should remain authenticated for the full token lifetime.

Actual: Token validation fails, and users are logged out prematurely.

Please select the area the issue is related to

@asgardeo/javascript, @asgardeo/browser, @asgardeo/node

Version

@asgardeo/browser@0.4.1 @asgardeo/javascript@0.8.1 @asgardeo/node@0.0.55

Environment Details (with versions)

  • SDK Packages: @asgardeo/browser@0.4.1, @asgardeo/javascript@0.8.1, @asgardeo/node@0.0.55
  • jose library: (version used by SDK)
  • Node.js: v18+ (or your version)
  • Browser: Chrome/Safari/Firefox (if applicable)
  • OS: macOS/Windows/Linux

Reporter Checklist

  • I have searched the existing issues and this is not a duplicate.
  • I have provided all the necessary information.
  • I have tested the issue on the latest version of the package.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type/Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions