Extending JWT claims validation to support other claims

[hubodz]

Based on source, I understand only limited number of JWT claims can be validated. Trying to validate other claims result in error unknown_checks.
I would like to ask for introducing validation any provided claim.

In my case, I use an SSO of a huge Organisation, where many users can define their own applications/clients (signed with same SSO key). Without validating aud, anyone could create another application with roles that my CouchDB instance accepts.

Desired Behaviour

When provided a config like below, the claim aud should be verified: both if it exists and if it matched provided my-application value.

required_claims = exp, {aud, "my-application"}

I believe it's worth allowing such a validation for any custom claim (only to check existence and value matching, if provided).

Possible Solution

I believe the source should not limit the check only to claims specified in line 45. There could be a function providing a "general" claim check, no matter what it is exactly.

[rnewson]

hm I think a pull request to add aud specifically would be fine (and should be fairly easy). Not sure bespoke checks are a good idea.

[hubodz]

Hey, thanks for your answer. Can you tell me more about why the bespoke checks would be a bad idea (as long as it's a simple string comparison)?