Jwt Verification fails when there is another additional audience added in the JWT token

[dulanjalidilmi]

Describe the issue:
In JwtVerification, since we set the client ID as the trusted audience[1], the verification fails with following error if there is another clientID included in the audience in the JWT received from the identity provider. eg: Keycloak

"ID token validation failed. Untrusted JWT audience."

Therefore shall we check only if the trusted audience is included in the audience, rather than checking if the the entire audience is included in the trusted audience.

[1]

asgardeo-auth-spa-sdk/lib/src/utils/crypto-utils.ts

Line 65 in eba1e0f

audience: clientID,

[2] https://github.com/asgardeo/asgardeo-java-oidc-sdk/blob/1f0b9fd71683a3a6575d892eeb8a27ef860a75cf/io.asgardeo.java.oidc.sdk/src/main/java/io/asgardeo/java/oidc/sdk/validators/IDTokenValidator.java#L145-L149

How to reproduce:

Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [e.g., IS 5.10.0, IS 5.9.0]
• OS: [e.g., Windows, Linux, Mac]
• Browser: [e.g., Chrome, Firefox]
• SDK Version: [e.g., 0.1.0, 0.1.1]

---

Optional Fields

Related issues:

Suggested labels:

[brionmario]

Hi @dulanjalidilmi,

Thanks for bringing this up.
+1 for your suggestion.

Is it possible to send a PR for this change?
We'll include it in the next release.