feat(gateway): add audience validation to OIDC access token verification

Validates the aud claim against OAUTH_AUDIENCE when verifying
JWT access tokens via JWKS. Required when OAUTH_ISSUER is set.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: pilartomas

.env.example

@@ -13,6 +13,7 @@ AUTH_MODE=local
 # Set all three + NEXTAUTH_SECRET to enable multi-user OAuth login.
 # Redirect URI to register with your provider: {APP_URL}/api/auth/callback/oidc
 OAUTH_ISSUER=
+OAUTH_AUDIENCE=
 OAUTH_CLIENT_ID=
 OAUTH_CLIENT_SECRET=
 

apps/gateway/src/jwks.rs

@@ -70,6 +70,7 @@ pub(crate) struct AccessTokenClaims {
 #[derive(Clone)]
 pub(crate) struct JwksManager {
     issuer: String,
+    audience: String,
     jwks_uri: String,
     cache: Arc<RwLock<CachedKeys>>,
     http_client: reqwest::Client,
@@ -84,7 +85,7 @@ impl JwksManager {
     /// Fetches `{issuer_url}/.well-known/openid-configuration` to discover
     /// the `jwks_uri`, then fetches the initial key set. Fails if the
     /// discovery document or JWKS cannot be fetched.
-    pub async fn new(issuer_url: &str) -> Result<Self> {
+    pub async fn new(issuer_url: &str, audience: String) -> Result<Self> {
         let http_client = reqwest::Client::new();
         let base = issuer_url.trim_end_matches('/');
 
@@ -109,6 +110,7 @@ impl JwksManager {
 
         Ok(Self {
             issuer: discovery.issuer,
+            audience,
             jwks_uri: discovery.jwks_uri,
             cache: Arc::new(RwLock::new(CachedKeys {
                 keys,
@@ -173,7 +175,7 @@ impl JwksManager {
         let mut validation = Validation::default();
         validation.algorithms = ACCEPTED_ALGORITHMS.to_vec();
         validation.set_issuer(&[&self.issuer]);
-        validation.validate_aud = false;
+        validation.set_audience(&[&self.audience]);
 
         let token_data: TokenData<AccessTokenClaims> =
             decode(token, key, &validation).map_err(|e| {

apps/gateway/src/main.rs

@@ -148,7 +148,9 @@ async fn main() -> Result<()> {
     // so JWKS is not required for browser-based auth to work.
     let jwks = match std::env::var("OAUTH_ISSUER") {
         Ok(issuer) => {
-            let manager = jwks::JwksManager::new(&issuer).await?;
+            let audience = std::env::var("OAUTH_AUDIENCE")
+                .context("OAUTH_AUDIENCE must be set when OAUTH_ISSUER is set")?;
+            let manager = jwks::JwksManager::new(&issuer, audience).await?;
             Some(manager)
         }
         Err(_) => None,

turbo.json

@@ -62,7 +62,8 @@
         "REDIS_TLS",
         "COGNITO_USER_POOL_ID",
         "AUTH_MODE",
-        "OAUTH_ISSUER"
+        "OAUTH_ISSUER",
+        "OAUTH_AUDIENCE"
       ]
     },
     "@onecli/gateway#check": {