feature(#20): support for multiple audiences in JWT authentication with validation of multiple audiences.

https-richardy · https-richardy · commit e850ca8cb100 · 2026-04-20T22:06:35.000-03:00
diff --git a/Packages/Federation.Sdk/Source/Configurations/FederationOptions.cs b/Packages/Federation.Sdk/Source/Configurations/FederationOptions.cs
@@ -6,4 +6,5 @@ public sealed record FederationOptions
     public string ClientSecret { get; set; } = default!;
     public string Realm { get; set; } = default!;
     public string Authority { get; set; } = default!;
-}
+    public string[] Audiences { get; set; } = [];
+}
diff --git a/Packages/Federation.Sdk/Source/Extensions/AuthenticationExtension.cs b/Packages/Federation.Sdk/Source/Extensions/AuthenticationExtension.cs
@@ -11,8 +11,17 @@ public static void AddBearerAuthentication(this IServiceCollection services)
             .AddJwtBearer(configuration =>
             {
                 configuration.Authority = options.Authority;
-                configuration.Audience = options.Realm;
                 configuration.RequireHttpsMetadata = false;
+                configuration.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = true,
+                    ValidateAudience = true,
+
+                    // https://www.rfc-editor.org/rfc/rfc7519.html?#section-4.1.3
+                    // supports multiple audiences in the "aud" claim, so we need to check if any of the audiences match
+                    ValidIssuer = options.Authority,
+                    ValidAudiences = options.Audiences
+                };
             });
     }
-}
+}
