From c1d33bb55b2841668e79cc24a2d9d25b439315dc Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Wed, 30 Jan 2013 14:22:28 -0500
Subject: [PATCH] bugfix in assertion processor

---
 .../connect/assertion/JwtBearerAuthenticationProvider.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
index 5fdb0c45d..573898d5e 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
@@ -85,7 +85,7 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
     		// check the signature with nimbus
     		JWSVerifier verifier = getVerifierForClient(client);
     		JWSObject jws = JWSObject.parse(jwtAuth.getJwt().toString());    		
-    		if (verifier != null && !jws.verify(verifier)) {
+    		if (verifier == null && !jws.verify(verifier)) {
     			throw new AuthenticationServiceException("Invalid signature");
     		}
     		
@@ -118,7 +118,7 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
 			// check audience
 			if (jwtClaims.getAudience() == null) {
 				throw new AuthenticationServiceException("Assertion token audience is null");
-			} else if (!jwtClaims.getAudience().equals(config.getIssuer())) {
+			} else if (!jwtClaims.getAudience().contains(config.getIssuer())) {
 				throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudience());
 			}