If you use set_audience or set_issuer, it is reasonable to assume that this crate will validate that the aud or iss claims are set to an acceptable value. As it turns out however, this crate doesn't do this validation unless you call set_required_spec_claims with the claim in question included. Otherwise JWTs without these claims will be accepted just fine. While this is documented on the aud and iss fields, this is not documented on set_audience or set_issuer. In addition it is rather surprising behavior than can (and in fact does) lead to misconfigurations in the JWT validation.
If you use
set_audienceorset_issuer, it is reasonable to assume that this crate will validate that theaudorissclaims are set to an acceptable value. As it turns out however, this crate doesn't do this validation unless you callset_required_spec_claimswith the claim in question included. Otherwise JWTs without these claims will be accepted just fine. While this is documented on theaudandissfields, this is not documented onset_audienceorset_issuer. In addition it is rather surprising behavior than can (and in fact does) lead to misconfigurations in the JWT validation.