Check whether an access token's aud claim matches an expected resource URL.
Returns { ok: true } when the aud claim is a string equal to
expectedResource (after URL normalization), or is an array containing
such a string. Returns { ok: false, reason } otherwise, including when
the token is opaque (not a JWT) or has no aud claim.
URL normalization: lowercased scheme and host, default ports (80 for http,
443 for https) stripped, trailing slash on the path stripped. Query and
fragment are preserved verbatim. Non-URL audience strings are compared
byte-for-byte.
Defense-in-depth helper. A server that mis-issues a token with the wrong
aud would still be accepted by the resource server; this helper flags
the mismatch on the client side for diagnostics.
Check whether an access token's
audclaim matches an expected resource URL.Returns
{ ok: true }when theaudclaim is a string equal toexpectedResource(after URL normalization), or is an array containing such a string. Returns{ ok: false, reason }otherwise, including when the token is opaque (not a JWT) or has noaudclaim.URL normalization: lowercased scheme and host, default ports (80 for http, 443 for https) stripped, trailing slash on the path stripped. Query and fragment are preserved verbatim. Non-URL audience strings are compared byte-for-byte.
Defense-in-depth helper. A server that mis-issues a token with the wrong
audwould still be accepted by the resource server; this helper flags the mismatch on the client side for diagnostics.