Is your feature request related to a problem? Please describe.
I have an access token with a custom claim that is messy to extract because of its nested structure, for example:

map[aud:example default_user_id:<nil> exp:%!s(float64=1.669480533e+09) iat:%!s(float64=1.669307733e+09) iss:example:[map[customer_id:example customer_name:example role:example user_id:example]] sid:example sub:example ui_token:map[access_token:example created_at:2022-11-24T16:35:30Z customer_id:example expires_at:2022-11-25T04:35:30Z id:example name:example browser session scope:global service_id:<nil> services:[] token_type:bearer updated_at:2022-11-24T16:35:30Z user_id:example]]

I'd like to get to the access_token key inside the ui_token map.

Describe the solution you'd like
A function I could use under the jwt package to easily extract a key from the claim.

Describe alternatives you've considered
Just manually checking each field and coercing from an interface{} type to the required types. It's not the end of the world, but it feels like something that should be made easier through some kind of package abstraction.

the coreos package that cap uses recently added support to allow the validation of the issuer against the discovery doc: coreos/go-oidc#315

upgrading to v3 of go-oidc and supporting a similar flag in cap would allow callers to use providers like Azure with it's non-compliant issues.

Describe the bug
When I use Vault to pass OIDC certification, The returned id_token claim contains multiple audiences(aud), without authorized party (azp), which resulted in an error output. Provider. VerifyIDToken: invalid id_token : multiple audiences and authorized party (%!s(<nil>)) is not equal client_id (vault-oidc-client-id) , I traced back to this by looking at the relevant source code, hair this code, there is a simple logic problem.

To Reproduce
Steps to reproduce the behavior:

1. vualt oidc config

vault server -dev -dev-root-token-id=myroot -log-level=debug > /tmp/vault.log 2>&1 & 
sleep 1 
export VAULT_TOKEN=myroot 
export VAULT_ADDR=http://127.0.0.1:8200 

cat - > /tmp/devpolicy. hcl <<EOF 
path "/secret/*" { 
 capabilities = ["read", "list"] 
} 
EOF 
vault policy write dev /tmp/devpolicy.hcl 

vault auth enable oidc 

vault write auth/oidc/config \ 
    oidc_discovery_url="http://localhost:8082/api/oauth2" \ 
    oidc_client_id="vault-oidc-client-id" \ 
    oidc_client_secret="admin" \ 
    default_role="demo" 

vault write auth/oidc/role/demo \ 
    bound_audiences="vault-oidc-client-id" \ 
    allowed_redirect_uris="http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" \ 
    allowed_redirect_uris="http://127.0.0.1:8250/oidc/callback" \ 
    user_claim="sub" \ 
    policies=dev 

Expected behavior
If the ID Token contains multiple audiences, the Client should verify that an azp Claim is present

reference

• https://security.stackexchange.com/questions/145818/openid-connect-standard-authorized-party-azp-contradiction
• https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

Screenshots

• id_token （This is the id_token returned by OIDC OP, parsed through jwt.io）

id_token = eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5UQXhabU14TkRNeVpEZzNNVFUxWkdNME16RXpPREpoWldJNE5ETmxaRFUxT0dGa05qRmlNUSIsInR5cCI6IkpXVCJ9.eyJhdF9oYXNoIjoiTGtobjVWbWFHeHd6TldBVGNhRVhidyIsImF1ZCI6WyJodHRwczovL215LWNsaWVudC5teS1hcHBsaWNhdGlvbi5jb20iLCJ2YXVsdC1vaWRjLWNsaWVudC1pZCJdLCJhdXRoX3RpbWUiOjE2NTkyNTE2MzcsImV4cCI6MTY1OTI3MzIzNywiaWF0IjoxNjU5MjUxNjQ1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODIvYXBpL29hdXRoMiIsImp0aSI6ImYwYmE2NTE4LTUxZTktNDA4My04ZDhmLThlOTViOWYzNTI1ZiIsIm5vbmNlIjoibl92cEVVckdLYXpsZlk0Wm5aNXBmMiIsInJhdCI6MTY1OTI1MTYzNywic3ViIjoicGV0ZXIifQ.LOZUPJb_C3MbOXIjjMk8509SAHwAIot-VjztKkIbkplHe0FHfNOIbijx8HfyGURzqNNSgvmvta-57jdL5XVJZQzBZ4TDihUjyEzOPr-cdeZMla3FpwZRC7ftIUzuNxB4-ntfT0_5_LWVoVfC32B5cnxrxxYuVQNB-B8gz5-5ZE9K6e6W-s3x-7ltPIex4XJlNOM8JVjghJEH_381zUFKu2_sD-PjON1sHzgVeLHcX_WbomztKm6ZUhn-DOPiTtIsAwyFNGARUT80WJ-LOuFa7uD0Rvun0Jjs0OC6ReJ9rGad_z4F3rIm7lNQH4PDCkUuUe_aEYFfJJjO2NTog63b2g

• vault
  

Desktop (please complete the following information):

• OS: win10
• Browser: chrome
• Version: 103.0.5060.134

Is your feature request related to a problem? Please describe.
GitLab is in the process of modifying the JWT tokens it provides in CI jobs, and in particular it is changing the iss (Issuer) claim value:

• it was gitlab.something.com in old-style tokens (deprecated but widely used)
• it is https://gitlab.something.com in new tokens (obtained via a new pipeline keyword)

It's a legitimate change, but transition is painful in the context of GitLab/Vault interactions, because on Vault side it requires two JWT auth URLs; one for each style of tokens (for each specific bound_issuer). GitLab users (pipelines authors) must take into account that when they update the way they obtain a JWT token, they must also adapt their target Vault auth URL. In our case it will affect many people across many project/teams.

Describe the solution you'd like
I'd like to have the option to configure JWT auth plugin only once in Vault, in such a way it tolerates both forms of Issuer claim (FQDN and https://FQDN). It could be a boolean option to enable the special case (something like "ignore protocol in iss: claim if bound_issuer is a domain name"), or the ability to provide a list of bound_issuers.
At least the "special case" option would not be too difficult to take into account in cap/jwt, I think, here:

Describe alternatives you've considered
The alternative is to live with two JWT auth URL in Vault during the transition period, until deprecated tokens disappear, like this.

[Note: this issue was seen in Boundary, but is being filed here per conversation with @jimlambrt]

Describe the bug
Boundary cannot unmarshal the aud claim that Dex returns. The output given in the Boundary UI is {"kind":"Internal", "message":"authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: failed to parse claims for UserInfo verification: json: cannot unmarshal string into Go struct field verifyClaims.Aud of type []string"}

To Reproduce
I set up a Dex provider in a Docker container with the following config:

• Docker run:

docker run -d -v /etc/dex/dex-config.yaml:/etc/dex/config.docker.yaml -p 5556:5556 -p 5558:5558 quay.io/dexidp/dex:latest

• Dex config in /etc/dex/dex-config.yaml:

issuer: http://[Dex instance public IP]:5556/dex

storage:
  type: memory

web:
  http: 0.0.0.0:5556

telemetry:
  http: 0.0.0.0:5558

grpc:
  addr: 127.0.0.1:5557

logger:
  level: "debug"
  format: "text" # can also be "json"

oauth2:
  responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"

staticClients:
- id: boundary
  name: Boundary
  secret: [client secret]
  redirectUris:
  - [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback

connectors:
- type: google
  id: google
  name: Google public login

enablePasswordDB: true

staticPasswords:
- email: "[email protected]"
  hash: "[bcrypt password hash]"
  username: "jthompson"

Boundary OIDC provider config for Dex:

$ boundary auth-methods read -id amoidc_JZg1tu7M19

Auth Method information:
  Created Time:           Mon, 17 May 2021 02:34:00 EDT
  ID:                     amoidc_JZg1tu7M19
  Is Primary For Scope:   false
  Name:                   Dex
  Type:                   oidc
  Updated Time:           Mon, 17 May 2021 02:36:15 EDT
  Version:                4

  Scope:
    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accountss:
      create
      list

  Attributes:
    api_url_prefix:       [Boundary controller address]
    callback_url:
    [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
    client_id:            boundary
    client_secret_hmac:   kqu9d35RUER7qnleiSUmPMaCB9_YYQK_EIsJ1X-X0s0
    issuer:               http://[Dex instance public IP]:5556/dex
    signing_algorithms:   [RS256]
    state:                active-public

Expected behavior

Boundary OIDC should parse the aud claim received from Dex and authenticate the user.

Desktop (please complete the following information):

• OS: Fedora 34
• Browser: Firefox
• Version: 88

Hello there!

We are trying to set up Nomad's login using on-premise ADFS, but we have a problem with OIDC settings.
Since v1.5, nomad has supported OIDC provider from cap repo, but only with enabled discovery which used userinfo endpoint.
We suppose that config with disabled discovery option can help us. I mean changes from PR 2c6463e
My question is when you are going to release them, because I see that the last tag was on April 22.
Thanks.

Before upgrading to the latest version of [email protected], we should add more unit tests to catch potential race conditions.
Specifically, we should test the RequestTimeout parameter, since that seemed to be causing race conditions in v3.4.5

Is your feature request related to a problem? Please describe.

This library supports OIDC implicit flow (response_type=id_token) which doesn't need direct communication between RP and OP, but it needs direct communication for getting OIDC discovery metadata and JWKs currently.

As a specific use case, I'd like to use https://github.com/hashicorp/vault-plugin-auth-jwt to support authentication by OIDC without direct communication. Currently, CAP does not have the API, so need to implement this using a lot of reflect package as follows, which does not seem like a very good way to do it.

openstandia/vault-plugin-auth-jwt@9eb0e93

Describe the solution you'd like
For OIDC implicit flow without direct communication, I'd like to add support for static OIDC discovery metadata and JWKs.
Currently, provider.go has a factory func. I propose adding feature which creates the provider from static json documents for OIDC discovery metadata and JWKs.