symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
+3-3Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
+3-3Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
+1-1Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
Copy file name to clipboardExpand all lines: src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
+1-1Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
+3-5Lines changed: 3 additions & 5 deletions b/‎src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
+3-5Lines changed: 3 additions & 5 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
+6-6Lines changed: 6 additions & 6 deletions b/‎src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
+6-6Lines changed: 6 additions & 6 deletions
@@ -28,8 +28,8 @@ class OidcTokenHandlerFactory implements TokenHandlerFactoryInterface
     public function create(ContainerBuilder $container, string $id, array|string $config): void
     {
         $tokenHandlerDefinition = $container->setDefinition($id, (new ChildDefinition('security.access_token_handler.oidc'))
-            ->replaceArgument(4, $config['claim'])
-            ->replaceArgument(5, $config['audience'])
+            ->replaceArgument(2, $config['audience'])
+            ->replaceArgument(5, $config['claim'])
         );
 
         if (!ContainerBuilder::willBeAvailable('web-token/jwt-core', Algorithm::class, ['symfony/security-bundle'])) {
@@ -68,7 +68,7 @@ public function addConfiguration(NodeBuilder $node): void
                     ->end()
                     ->scalarNode('audience')
                         ->info('Audience set in the token, for validation purpose.')
-                        ->defaultNull()
+                        ->isRequired()
                     ->end()
                     ->scalarNode('algorithm')
                         ->info('Algorithm used to sign the token.')
 
@@ -69,10 +69,10 @@
             ->args([
                 abstract_arg('signature algorithm'),
                 abstract_arg('signature key'),
+                abstract_arg('audience'),
                 service('logger')->nullOnInvalid(),
                 service('clock'),
                 'sub',
-                null,
             ])
 
         ->set('security.access_token_handler.oidc.jwk', JWK::class)
 
@@ -41,10 +41,10 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
     public function __construct(
         private Algorithm $signatureAlgorithm,
         private JWK $jwk,
+        private string $audience,
         private ?LoggerInterface $logger = null,
         private ClockInterface $clock = new Clock(),
-        private string $claim = 'sub',
-        private ?string $audience = null
+        private string $claim = 'sub'
     ) {
     }
 
@@ -80,10 +80,8 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
                 new Checker\IssuedAtChecker(0, false, $this->clock),
                 new Checker\NotBeforeChecker(0, false, $this->clock),
                 new Checker\ExpirationTimeChecker(0, false, $this->clock),
+                new Checker\AudienceChecker($this->audience),
             ];
-            if ($this->audience) {
-                $checkers[] = new Checker\AudienceChecker($this->audience);
-            }
             $claimCheckerManager = new ClaimCheckerManager($checkers);
             // if this check fails, an InvalidClaimException is thrown
             $claimCheckerManager->check($claims);
 
@@ -55,10 +55,10 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
         $userBadge = (new OidcTokenHandler(
             new ES256(),
             $this->getJWK(),
+            self::AUDIENCE,
             $loggerMock,
             new Clock(),
-            $claim,
-            self::AUDIENCE
+            $claim
         ))->getUserBadgeFrom($token);
         $actualUser = $userBadge->getUserLoader()();
 
@@ -89,10 +89,10 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
         (new OidcTokenHandler(
             new ES256(),
             $this->getJWK(),
+            self::AUDIENCE,
             $loggerMock,
             new Clock(),
-            'sub',
-            self::AUDIENCE
+            'sub'
         ))->getUserBadgeFrom($token);
     }
 
@@ -148,10 +148,10 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
         (new OidcTokenHandler(
             new ES256(),
             self::getJWK(),
+            self::AUDIENCE,
             $loggerMock,
             new Clock(),
-            'email',
-            self::AUDIENCE
+            'email'
         ))->getUserBadgeFrom($token);
     }