Do not reject present aud claim when audience is None#409
Open
arpitjain099 wants to merge 1 commit into
Open
Conversation
jwt.decode(..., audience=None) is the documented way to skip audience
verification, but _validate_aud still ran the final membership check and
raised JWTClaimsError("Invalid audience") whenever the token carried an
aud claim. RFC 7519 4.1.3 only requires the aud claim to be checked when
a principal identifies itself as an intended recipient; a caller that
passes no audience is not identifying itself, so a present aud claim must
not cause failure. This also matches PyJWT, which skips the check when no
audience is supplied.
Guard the membership check with audience is not None. A supplied audience
still has to match (mismatch raises as before), and verify_aud=False is
unaffected.
Fixes mpdavis#389
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #389
Problem
jwt.decode(..., audience=None)is the documented way to decode a token without verifying its audience, but it raisesJWTClaimsError("Invalid audience")whenever the token happens to carry anaudclaim.The cause is the final membership check in
_validate_aud(jose/jwt.py):When the caller passes
audience=None,Noneis never a member ofaudience_claims, so any token that contains anaudclaim fails verification even though the caller asked for no audience check.Why this is the correct behavior
RFC 7519 section 4.1.3 ties audience verification to a principal identifying itself:
A caller that passes no audience (
audience=None) is not identifying itself as an intended recipient, so a presentaudclaim should not on its own cause rejection. PyJWT behaves the same way: it only enforces theaudclaim when an audience is supplied.Fix
Guard the membership check so it only runs when an audience was actually provided:
Behavior preserved:
audience=None(or omitted) with anaudclaim present: no longer raises.audiencethat matches: passes, as before.audiencethat does not match: still raisesJWTClaimsError.verify_aud=False: unaffected (the whole check is already skipped upstream).Tests
Added four tests to
tests/test_jwt.py:test_aud_none_with_aud_claim_presenttest_aud_none_with_aud_list_claim_presenttest_aud_none_default_argumenttest_aud_verify_disabled_with_aud_claimThe three
audience=Nonetests fail against the current code and pass with the fix. The fulltests/test_jwt.pysuite passes (65 tests), andblack/isortare clean on the changed files.