openid_connect Optionally ignore audience matching in verify function

Hi DockYard :wave:

OneLogin provides a feature to allow authentication between different clients: https://developers.onelogin.com/openid-connect/api/client-credentials-grant

OneLogin validates if the client is authorized to access a given "resource" from connected clients.

Unfortunately, the "aud" value in the claims will not be the resource's client ID, it will be the caller's client ID. This cannot be changed.

To work around this behavior, I created this PR to allow your library to skip the audience matching validation if an option is set.

Let me know if the changes are reasonable or if I need to adjust or improve further.

Oct 17 '25 11:10 altjohndev

@davydog187 thoughts?

Oct 17 '25 16:10 bcardarella

Hi there! Do you have any updates about this minor feature?

I am asking because this is the leading blocker for me to change the :oidcc stale version from years ago to your library in a legacy codebase I started maintaining.

Oct 31 '25 12:10 altjohndev

@davydog187 asked to help maintain this library so I defer to him but he hasn't weight in yet.

Oct 31 '25 12:10 bcardarella

Apologies all, I'm just coming up for air from the other side of a massive launch, a bit behind on OSS. Thanks for the ping @bcardarella

Nov 10 '25 20:11 davydog187

@altjohndev I left a few comments, let me know if you have questions. If you prefer I'd be happy to merge and push a cleanup

Nov 10 '25 20:11 davydog187

Hi @davydog187, thanks for reviewing the PR.

I applied your suggestions here: https://github.com/DockYard/openid_connect/pull/71/commits/47398e523571e1a09e157b682ea4799d8d307619

Nov 11 '25 01:11 altjohndev

Looks great! Once CI passes I will merge. CC: @bcardarella

Nov 11 '25 20:11 davydog187

🍍 🍍 🍍 🍍 🍍

Nov 12 '25 15:11 davydog187