Security issue checking AUD when its falsey

[bundabrg]

Describe the bug

If a passed in 'aud' is an empty list [] then it will not be validated yet will still pass the essential claims validation as the checks are performed in two different ways. This may extend to other claims as well.

To Reproduce

claims_options = {
  "aud": {
    "essential": True,
    "value": "my_aud",
}

# token contains the data {'aud': []}
token = get_raw_token()

tok = jwt.decode(token, my_public_key, claims_options=claim_options)
tok.validate() # Passes

Expected behavior

An exception should be raised in validate_aud(). I'm not sure if one should be raised when checking essential claims since technically the claim is there.

Environment:

• OS: Linux
• Python Version: 3.8
• Authlib Version: 1.0.0

[lepture]

v1.0.1 was released.