Claims array support (Audience, etc)

[macarlet]

Hi, reading the rfc about audience claim https://tools.ietf.org/html/rfc7519#section-4.1.3, it seems that the aud can be a list of values, but the api implement this claim just as a single value.

[lhazlewood]

Yep, you're right - thanks for the issue. We have to do this for a similar set of other claims as well.

Can you use the JwtBuilder#addClaims method to work around this temporarily?

[macarlet]

Sure! Thanks!

[workmanw]

@lhazlewood Just out of curiosity is this something you would expect a PR for? Or would you rather just keep the audience simple without an array?

[lhazlewood]

@workmanw we want to be 100% compliant with the spec, and the spec allows for arrays, so we definitely want to support this and/or accept PRs for it.

The reason for the delay on this particular issue is that if we're going to solve it, we need to solve it for all header or claims fields that can support arrays, not just for aud claim. So any work towards this (or PRs submitted) should solve the problem holistically.

This is probably something we can do for a 0.11 release, but if backwards-incompatible changes would make for the nicest API, we'll need to put it in 1.0.

[lhazlewood]

Some thoughtful design needs to go into this and we just don't want to hold up 0.11 any longer - adding to a future release.

[martinth]

In the meantime, you can do this to get the audiences:

Set<String> audiences = Set.copyOf(jwtToken.getBody().get("aud", ArrayList.class));

[Rambalac]

Well, you cannot. Java Maps do not allow you to convert into collections. And Java Maps do not keep duplicated keys.

[lhazlewood]

I realized we have a couple issues open relating to aud being an array. Closing this as a duplicate of #77 which we hope to have fixed in the 0.12.0 release