Security: Implement RFC 7519 Compliant JWT Audience Validation

packages/openauth/package.json

@@ -12,7 +12,7 @@
     "@tsconfig/node22": "22.0.0",
     "@types/node": "22.10.1",
     "arctic": "2.2.2",
-    "hono": "4.6.9",
+    "hono": "4.10.5",
     "typescript": "5.6.3",
     "valibot": "1.0.0-beta.15"
   },

packages/openauth/src/client.ts

@@ -286,7 +286,16 @@ export interface VerifyOptions {
    */
   issuer?: string
   /**
-   * @internal
+   * The expected audience (aud) claim value. This should match the client ID
+   * that the token was issued for. If not provided, defaults to the client's
+   * configured clientID.
+   *
+   * @example
+   * ```ts
+   * {
+   *   audience: "api"
+   * }
+   * ```
    */
   audience?: string
   /**
@@ -700,13 +709,15 @@ export function createClient(input: ClientInput): Client {
       options?: VerifyOptions,
     ): Promise<VerifyResult<T> | VerifyError> {
       const jwks = await getJWKS()
+      const expectedAudience = options?.audience || input.clientID
       try {
         const result = await jwtVerify<{
           mode: "access"
           type: keyof T
           properties: v1.InferInput<T[keyof T]>
         }>(token, jwks, {
           issuer,
+          audience: expectedAudience,
         })
         const validated = await subjects[result.payload.type][
           "~standard"
@@ -732,6 +743,7 @@ export function createClient(input: ClientInput): Client {
             {
               refresh: refreshed.tokens!.refresh,
               issuer,
+              audience: expectedAudience,
               fetch: options?.fetch,
             },
           )

packages/openauth/src/issuer.ts

@@ -1114,26 +1114,48 @@ export function issuer<
       )
     }
 
-    const result = await jwtVerify<{
-      mode: "access"
-      type: keyof SubjectSchema
-      properties: v1.InferInput<SubjectSchema[keyof SubjectSchema]>
-    }>(token, () => signingKey().then((item) => item.public), {
-      issuer: issuer(c),
-    })
+    try {
+      const result = await jwtVerify<{
+        mode: "access"
+        type: keyof SubjectSchema
+        properties: v1.InferInput<SubjectSchema[keyof SubjectSchema]>
+        aud?: string
+      }>(token, () => signingKey().then((item) => item.public), {
+        issuer: issuer(c),
+      })
 
-    const validated = await input.subjects[result.payload.type][
-      "~standard"
-    ].validate(result.payload.properties)
+      // Validate that the token has an audience claim
+      if (!result.payload.aud) {
+        return c.json(
+          {
+            error: "invalid_token",
+            error_description: "Token missing audience claim",
+          },
+          401,
+        )
+      }
 
-    if (!validated.issues && result.payload.mode === "access") {
-      return c.json(validated.value as SubjectSchema)
-    }
+      const validated = await input.subjects[result.payload.type][
+        "~standard"
+      ].validate(result.payload.properties)
 
-    return c.json({
-      error: "invalid_token",
-      error_description: "Invalid token",
-    })
+      if (!validated.issues && result.payload.mode === "access") {
+        return c.json(validated.value as SubjectSchema)
+      }
+
+      return c.json({
+        error: "invalid_token",
+        error_description: "Invalid token",
+      })
+    } catch (e) {
+      return c.json(
+        {
+          error: "invalid_token",
+          error_description: "Token verification failed",
+        },
+        401,
+      )
+    }
   })
 
   app.onError(async (err, c) => {