@@ -98,6 +98,43 @@ public async Task WhenGeneratingAccessToken_ThenItMustBeValidAndContainCorrectCl
9898 }
9999 }
100100
101+ [ Fact ( DisplayName = "[infrastructure] - when generating user access token with provided audiences, then token should include only provided audiences" ) ]
102+ public async Task WhenGeneratingUserAccessTokenWithProvidedAudiences_ThenShouldIncludeOnlyProvidedAudiences ( )
103+ {
104+ /* arrange: create a user and configure realm */
105+ var user = _fixture . Create < User > ( ) ;
106+ var realm = _fixture . Create < Realm > ( ) ;
107+
108+ _realmProvider . Setup ( provider => provider . GetCurrentRealm ( ) )
109+ . Returns ( realm ) ;
110+
111+ var allowedAudiences = new [ ]
112+ {
113+ new Audience ( "backend.api" ) ,
114+ new Audience ( "orders.api" ) ,
115+ new Audience ( "backend.api" )
116+ } ;
117+
118+ /* act: generate an access token with explicit audiences */
119+ var result = await _jwtSecurityTokenService . GenerateAccessTokenAsync ( user , allowedAudiences ) ;
120+
121+ /* assert: token must be successful and valid */
122+ Assert . True ( result . IsSuccess ) ;
123+ Assert . NotNull ( result . Data ) ;
124+
125+ var handler = new JwtSecurityTokenHandler ( ) ;
126+ var jwtToken = handler . ReadJwtToken ( result . Data . Value ) ;
127+
128+ var audiences = jwtToken . Claims
129+ . Where ( claim => claim . Type == JwtRegisteredClaimNames . Aud )
130+ . Select ( claim => claim . Value )
131+ . ToList ( ) ;
132+
133+ Assert . Contains ( "backend.api" , audiences ) ;
134+ Assert . Contains ( "orders.api" , audiences ) ;
135+ Assert . Equal ( 2 , audiences . Distinct ( StringComparer . Ordinal ) . Count ( ) ) ;
136+ }
137+
101138 [ Fact ( DisplayName = "[infrastructure] - when generating a refresh token, then it must be valid and contain correct claims and be persisted" ) ]
102139 public async Task WhenGeneratingRefreshToken_ThenItMustBeValidAndContainCorrectClaimsAndBePersisted ( )
103140 {
0 commit comments