Skip to content

Do not reject present aud claim when audience is None #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
arpitjain099 wants to merge 1 commit into
base: master
Choose a base branch
from
+33 −1
Open

Do not reject present aud claim when audience is None #409

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion jose/jwt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,7 @@ def _validate_aud(claims, audience=None):
raise JWTClaimsError("Invalid claim format in token")
if any(not isinstance(c, str) for c in audience_claims):
raise JWTClaimsError("Invalid claim format in token")
if audience not in audience_claims:
if audience is not None and audience not in audience_claims:
raise JWTClaimsError("Invalid audience")


Expand Down
32 changes: 32 additions & 0 deletions tests/test_jwt.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,38 @@ def test_aud_empty_claim(self, claims, key):
token = jwt.encode(claims, key)
jwt.decode(token, key, audience=aud)

def test_aud_none_with_aud_claim_present(self, key):
# RFC 7519 4.1.3: a principal only has to identify itself in the
# "aud" claim when it verifies as an intended recipient. A caller
# that passes audience=None is not identifying itself, so a present
# "aud" claim must not cause verification to fail. See issue #389.
claims = {"aud": "audience"}

token = jwt.encode(claims, key)
jwt.decode(token, key, audience=None)

def test_aud_none_with_aud_list_claim_present(self, key):
claims = {"aud": ["audience", "another"]}

token = jwt.encode(claims, key)
jwt.decode(token, key, audience=None)

def test_aud_none_default_argument(self, key):
# audience defaults to None, so omitting it entirely must also pass
# when the token carries an "aud" claim.
claims = {"aud": "audience"}

token = jwt.encode(claims, key)
jwt.decode(token, key)

def test_aud_verify_disabled_with_aud_claim(self, key):
# verify_aud=False must still skip the check even when an audience
# is supplied and would otherwise mismatch.
claims = {"aud": "audience"}

token = jwt.encode(claims, key)
jwt.decode(token, key, audience="other", options={"verify_aud": False})

def test_aud_not_string_or_list(self, key):
aud = 1

Expand Down