Shortly, is such a OIDC JWT payload valid?
{
"sub" : "alice",
"email" : ["alice@wonderland.net", "alice@wherever.com"],
...
}
Reading the official RFCs, I could only find that the keys (sub, email etc.) must be unique, but nothing about the values.
The email claim is required to be a string. So an array is not a valid value, as per the OpenID Connect Core 1.0 spec (formatting is mine):
stringEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
In the RFC 5322, the addr-spec syntax is defined as follows:
An addr-spec is a specific Internet identifier that contains a locally interpreted string followed by the at-sign character (
@, ASCII value 64) followed by an Internet domain. [...]addr-spec = local-part "@" domain local-part = dot-atom / quoted-string / obs-local-part domain = dot-atom / domain-literal / obs-domain domain-literal = [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS] dtext = %d33-90 / ; Printable US-ASCII %d94-126 / ; characters not including obs-dtext ; "[", "]", or "\" ```