Multiple valid values for issuer(iss)

[umareddy]

First, thank you for providing the module, saved me a lot of time.

According to https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#prompt

The Issuer Identifier for the Issuer of the response. Always https://accounts.google.com or accounts.google.com for Google ID tokens.

Google allows for two possible values. In the verify method the code can only check for one possible value:

if (options.issuer) {
    if (payload.iss !== options.issuer)
      return done(new JsonWebTokenError('jwt issuer invalid. expected: ' + options.issuer));
  }

Is this a problem? or am I missing something.
The fix would be to treat iss similar to aud in the verify method. Should iss be treated similar to aud?

Thanks.

[jfromaniello]

I added support for this, you can pass a list of valid issuers now:

issuer: [ "https://accounts.google.com", "accounts.google.com" ]

[umareddy]

Thank you.

On Feb 16, 2016, at 7:24 AM, José F. Romaniello [email protected] wrote:

I added support for this, you can pass a list of valid issuers now:

issuer: [ "https://accounts.google.com", "accounts.google.com" ]
—
Reply to this email directly or view it on GitHub #163 (comment).