From 94c649abd631b1069cf56a5985b2027e755f8174 Mon Sep 17 00:00:00 2001
From: Manuel van Rijn <manuel@manuelvanrijn.nl>
Date: Wed, 3 Jul 2024 14:14:05 +0200
Subject: [PATCH] Only pass along `audience` if it is specified

---
 lib/omniauth/strategies/openid_connect.rb           | 12 ++++++++----
 test/lib/omniauth/strategies/openid_connect_test.rb |  5 +++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index 802d14bc..0627392b 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -465,10 +465,14 @@ def configured_response_type
       def verify_id_token!(id_token)
         return unless id_token
 
-        decode_id_token(id_token).verify!(issuer: options.issuer,
-                                          client_id: client_options.identifier,
-                                          audience: client_options.audience,
-                                          nonce: params['nonce'].presence || stored_nonce)
+        verify_kwargs = {
+          issuer: options.issuer,
+          client_id: client_options.identifier,
+          nonce: params['nonce'].presence || stored_nonce,
+        }
+        verify_kwargs.merge!(audience: client_options.audience) if client_options.audience
+
+        decode_id_token(id_token).verify!(**verify_kwargs)
       end
 
       class CallbackError < StandardError
diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
index 04eec1dc..105edceb 100644
--- a/test/lib/omniauth/strategies/openid_connect_test.rb
+++ b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -252,10 +252,11 @@ def test_callback_phase_with_audience
         state = SecureRandom.hex(16)
         strategy.options.response_type = 'id_token'
         strategy.options.issuer = 'example.com'
-        strategy.options.client_options.audience = "my_audience"
+        strategy.options.client_options.audience = 'my_audience'
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
-        id_token.expects(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, audience: "my_audience", nonce: nonce).returns(true)
+        id_token.expects(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, audience: 'my_audience',
+                                        nonce: nonce).returns(true)
         id_token.stubs(:raw_attributes, :to_h).returns(payload)
 
         request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token)