Can JWT audience checking be disabled in ESPv2?

[hans.r...@impact.com]

Hi, there

I'd like to at least temporarily disable the JWT "aud" claim check in ESPv2 as it'll take a while to get it added to the token. Is there a way to do this?

It seems that the JWT RFC calls out "aud" as optional. I've tried removing aud from the token and x-google-audiences from the OpenAPI doc, but I'm getting the "Audience not allowed" error still. Same error when using x-google-audiences: "", so setting it to an empty string. I suspect the answer is "no, this is not possible as it would be less secure". 

Thanks,

Hans

[qiwz...@google.com]

Just checked ESPv2 code,   you could not disable "aud" checking.   If you don't specify `x-google-audiences`,  we will set the default one for you. 

-Wayne

[qiwz...@google.com]

BTW, could you open an issue at this repo.  Thanks