From 60919af91a29b61d728d8b5a02d8af84271d0eaa Mon Sep 17 00:00:00 2001
From: Robert Vogel <1201528+osnard@users.noreply.github.com>
Date: Tue, 17 Sep 2024 17:48:09 +0200
Subject: [PATCH] Fix TypeError in `verifyJWTClaims` (#442)

... when ClientID does not match

Co-authored-by: Robert Vogel <vogel@hallowelt.biz>
---
 src/OpenIDConnectClient.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
index e3f9d3f2..b38a81cd 100644
--- a/src/OpenIDConnectClient.php
+++ b/src/OpenIDConnectClient.php
@@ -1201,8 +1201,10 @@ protected function verifyJWTClaims($claims, string $accessToken = null): bool
             $len = ((int)$bit)/16;
             $expected_at_hash = $this->urlEncode(substr(hash('sha'.$bit, $accessToken, true), 0, $len));
         }
+        $auds = $claims->aud;
+        $auds = is_array( $auds ) ? $auds : [ $auds ];
         return (($this->validateIssuer($claims->iss))
-            && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
+            && (in_array($this->clientID, $auds, true))
             && ($claims->sub === $this->getIdTokenPayload()->sub)
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))