From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).
Current behavior: the expected audience used for JWT validation / token-exchange is derived from the request Host header.
Risk: the Host header is client-controlled — a caller can spoof it to steer audience derivation (e.g. obtain or validate tokens for an unintended audience).
Proposed fix: derive the audience from the configured route / resolved destination, not from the client-supplied Host header.
From the AuthBridge roadmap (Deep Dive → Next Steps · Hardening / Security).
Current behavior: the expected audience used for JWT validation / token-exchange is derived from the request Host header.
Risk: the Host header is client-controlled — a caller can spoof it to steer audience derivation (e.g. obtain or validate tokens for an unintended audience).
Proposed fix: derive the audience from the configured route / resolved destination, not from the client-supplied Host header.