From 3719019f20ae1d2315e0971b4cc02ae306cac679 Mon Sep 17 00:00:00 2001 From: "K.Dileepa Thushan Peiris" Date: Tue, 3 Mar 2026 22:12:05 +0530 Subject: [PATCH 1/4] fix(browser): support multiple audiences in ID token validation Change audience parameter from string to array in jose.jwtVerify() to properly validate tokens with multiple audiences (e.g., Choreo tokens with ['client-id', 'choreo:deployment:sandbox']). This fixes validation failures that caused immediate logout after authentication." --- packages/browser/src/__legacy__/utils/crypto-utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/browser/src/__legacy__/utils/crypto-utils.ts b/packages/browser/src/__legacy__/utils/crypto-utils.ts index 1d3792712..503da5cfb 100644 --- a/packages/browser/src/__legacy__/utils/crypto-utils.ts +++ b/packages/browser/src/__legacy__/utils/crypto-utils.ts @@ -57,7 +57,7 @@ export class SPACryptoUtils implements Crypto { ): Promise { const jwtVerifyOptions = { algorithms: algorithms, - audience: clientId, + audience: [clientId], clockTolerance: clockTolerance, subject: subject, }; From 8969759e26a041d7a6b1f755b38ad610dd58b197 Mon Sep 17 00:00:00 2001 From: "K.Dileepa Thushan Peiris" Date: Tue, 3 Mar 2026 22:12:39 +0530 Subject: [PATCH 2/4] fix(javascript): support multiple audiences in ID token validation Change audience parameter from string to array in jose.jwtVerify() to properly validate tokens with multiple audiences (e.g., Choreo tokens with ['client-id', 'choreo:deployment:sandbox']). This fixes validation failures that caused immediate logout after authentication." --- packages/javascript/src/DefaultCrypto.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/javascript/src/DefaultCrypto.ts b/packages/javascript/src/DefaultCrypto.ts index f165c5f2b..0b006f003 100644 --- a/packages/javascript/src/DefaultCrypto.ts +++ b/packages/javascript/src/DefaultCrypto.ts @@ -64,7 +64,7 @@ export class DefaultCrypto implements Crypto { await jose.jwtVerify(idToken, key, { algorithms, - audience: clientId, + audience: [clientId], clockTolerance, issuer: validateJwtIssuer ? issuer : undefined, subject, From 20191de0fe071111d9c0cf4045dfb2be3dda4254 Mon Sep 17 00:00:00 2001 From: "K.Dileepa Thushan Peiris" Date: Tue, 3 Mar 2026 22:13:02 +0530 Subject: [PATCH 3/4] fix(node): support multiple audiences in ID token validation Change audience parameter from string to array in jose.jwtVerify() to properly validate tokens with multiple audiences (e.g., Choreo tokens with ['client-id', 'choreo:deployment:sandbox']). This fixes validation failures that caused immediate logout after authentication." --- packages/node/src/__legacy__/utils/crypto-utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/node/src/__legacy__/utils/crypto-utils.ts b/packages/node/src/__legacy__/utils/crypto-utils.ts index 2fa5a924d..c587c7105 100644 --- a/packages/node/src/__legacy__/utils/crypto-utils.ts +++ b/packages/node/src/__legacy__/utils/crypto-utils.ts @@ -65,7 +65,7 @@ export class NodeCryptoUtils implements Crypto { return jose .jwtVerify(idToken, key, { algorithms, - audience: clientId, + audience: [clientId], clockTolerance, issuer, subject, From 2771a7891a8668ff00500e8dd346f7de6bfeafe9 Mon Sep 17 00:00:00 2001 From: "K.Dileepa Thushan Peiris" Date: Tue, 3 Mar 2026 22:27:46 +0530 Subject: [PATCH 4/4] chore: add changeset --- .changeset/open-moments-smoke.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .changeset/open-moments-smoke.md diff --git a/.changeset/open-moments-smoke.md b/.changeset/open-moments-smoke.md new file mode 100644 index 000000000..99d75a75c --- /dev/null +++ b/.changeset/open-moments-smoke.md @@ -0,0 +1,8 @@ +--- +'@asgardeo/javascript': patch +'@asgardeo/browser': patch +'@asgardeo/node': patch +--- + +fix multiple audiences in ID token validation.Change audience parameter from string to array to support tokens with +multiple audiences