upgraded to jwt/v5

tools/auth/oidc.go

@@ -12,7 +12,8 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pocketbase/pocketbase/tools/security"
 	"github.com/pocketbase/pocketbase/tools/types"
 	"github.com/spf13/cast"
 	"golang.org/x/oauth2"
@@ -128,24 +129,24 @@ func (p *OIDC) parseIdToken(token *oauth2.Token) (jwt.MapClaims, error) {
 		return nil, err
 	}
 
-	// validate common claims like exp, iat, etc.
-	err = claims.Valid()
+	// validate common claims
+	jwtValidator := jwt.NewValidator(
+		jwt.WithIssuedAt(),
+		jwt.WithAudience(p.clientId),
+	)
+	err = jwtValidator.Validate(claims)
 	if err != nil {
 		return nil, err
 	}
 
-	// validate aud
-	if !claims.VerifyAudience(p.clientId, true) {
-		return nil, errors.New("aud must be the developer's client_id")
-	}
-
 	// validate iss (if "issuers" extra config is set)
 	issuers := cast.ToStringSlice(p.Extra()["issuers"])
 	if len(issuers) > 0 {
 		var isIssValid bool
+		claimIssuer, _ := claims.GetIssuer()
 
 		for _, issuer := range issuers {
-			if claims.VerifyIssuer(issuer, true) {
+			if security.Equal(claimIssuer, issuer) {
 				isIssValid = true
 				break
 			}