From 6330e4db5d85eb6fdc4219f5896a9126e7cc26d6 Mon Sep 17 00:00:00 2001
From: Adam Vessey <adam-vessey@users.noreply.github.com>
Date: Wed, 23 Jun 2021 12:47:09 -0300
Subject: [PATCH] Permissively allow without the "aud" claim...

... _could_ roll more conditionally, with some state set during an update
hook; however, seems like unnecessary complexity.
---
 src/EventSubscriber/JwtEventSubscriber.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/EventSubscriber/JwtEventSubscriber.php b/src/EventSubscriber/JwtEventSubscriber.php
index b3d15a43..153187f6 100644
--- a/src/EventSubscriber/JwtEventSubscriber.php
+++ b/src/EventSubscriber/JwtEventSubscriber.php
@@ -114,7 +114,14 @@ class JwtEventSubscriber implements EventSubscriberInterface {
   public function validate(JwtAuthValidateEvent $event) {
     $token = $event->getToken();
 
-    if (!in_array(static::AUDIENCE, $token->getClaim('aud'), TRUE)) {
+    $aud = $token->getClaim('aud');
+
+    if (!$aud) {
+      // Deprecation cycle: Avoid invalidating if there's no "aud" claim, to
+      // allow tokens in flight before the introduction of this claim to remain
+      // valid.
+    }
+    elseif (!in_array(static::AUDIENCE, $aud, TRUE)) {
       $event->invalidate('Missing audience entry.');
       return;
     }