Go Backend Quickstart: Invalid Audience Claim

In the Go quickstart for the backend, I can’t get the test JWTs provided by the test tab of my API to work.

When I log the error, I get

square/go-jose/jwt: validation failed, invalid audience claim (aud)

The audience claim in the JWT, the audience string set in my API settings, and the audience string set in my go code are all exactly the same. Everything uses RS256.

Why would the audience claim fail to validate?

My Go knowledge (which is zero) does not allow me to provide a definitive answer, however, based on the information you provided and a look at the code base that performs the validation there’s something that could be the culprit.

From the Auth0 side when you request a user to authenticate and at the same time obtain an access token for your own API the returned access token will include the audience of the API and also the audience to the /userinfo endpoint when your API is using RS256.

The reason for this is that since the API is using RS256 only Auth0 has knowledge of the private key so it can leverage support for multiple audiences in the same access token as a way to provide you with a way to call your own API and also the /userinfo endpoint.

Most JWT validation libraries will then perform an audience check validation with the following very high level algorithm:

  • if the JWT aud claim is a string then the value needs to exactly match the expected audience passed for validation;
  • if the JWT aud claim is an array then one of its values needs to exactly match the expected audiences passed for validation.

However, from a quick look at the Go code that is doing the JWT validation we have the following, where e.Audience is the expected audience and c.Audience is the one coming from the token:

if len(e.Audience) != 0 {
  if len(e.Audience) != len(c.Audience) {
    return ErrInvalidAudience
  }

  for _, v := range e.Audience {
    if !c.Audience.Contains(v) {
      return ErrInvalidAudience
    }
  }
}

This is where my Go fails me so I’m not sure of this, but it may be the situation that the JWT validation library is expecting to match all audiences so when you provide only one it will fail the first check which seems to be based on number of audiences expected vs the number of audiences provided in the token.

Given you’re already using Go you’ll be able to prove or dismiss this theory; if what I said above is not complete craziness you may want to try to provide as expected audiences all the audiences you see in the returned JWT. Can you also confirm if this solves the situation so I can make a request to update the quickstart.

Thanks, that was exactly the issue; adding the userinfo audience resolved the error.

Hi there @inbuninbu , I’ve looked into this and discovered the issue. The problem is with the go-jose.v2 package that is used to validate the audience. This package requires that the claims audience has the same number of items as the audience identifier in your application. This shouldn’t be a requirement, and we are working with Square to update the library as soon as possible.

You won’t see the problem when you are not using openid, but we hope to get a fix for this quickly.

Any news on this issue? @adnan.kukic did you finally fix it with Square team?

Hi @romain - yes the issue has been fixed with the library. Please install the latest version of the go-jose.v2 package and everything should work now.

Thanks!