Only pass along audience if it is specified

Author: manuelvanrijn

lib/omniauth/strategies/openid_connect.rb

@@ -465,10 +465,14 @@ def configured_response_type
       def verify_id_token!(id_token)
         return unless id_token
 
-        decode_id_token(id_token).verify!(issuer: options.issuer,
-                                          client_id: client_options.identifier,
-                                          audience: client_options.audience,
-                                          nonce: params['nonce'].presence || stored_nonce)
+        verify_kwargs = {
+          issuer: options.issuer,
+          client_id: client_options.identifier,
+          nonce: params['nonce'].presence || stored_nonce,
+        }
+        verify_kwargs.merge!(audience: client_options.audience) if client_options.audience
+
+        decode_id_token(id_token).verify!(**verify_kwargs)
       end
 
       class CallbackError < StandardError

test/lib/omniauth/strategies/openid_connect_test.rb

@@ -252,10 +252,11 @@ def test_callback_phase_with_audience
         state = SecureRandom.hex(16)
         strategy.options.response_type = 'id_token'
         strategy.options.issuer = 'example.com'
-        strategy.options.client_options.audience = "my_audience"
+        strategy.options.client_options.audience = 'my_audience'
 
         id_token = stub('OpenIDConnect::ResponseObject::IdToken')
-        id_token.expects(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, audience: "my_audience", nonce: nonce).returns(true)
+        id_token.expects(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, audience: 'my_audience',
+                                        nonce: nonce).returns(true)
         id_token.stubs(:raw_attributes, :to_h).returns(payload)
 
         request.stubs(:params).returns('state' => state, 'nounce' => nonce, 'id_token' => id_token)