From bccd2a84e3400f9afd9668bc5b69524fa959a858 Mon Sep 17 00:00:00 2001 From: Martin Zugnoni Date: Sat, 27 Jun 2020 11:12:32 -0300 Subject: [PATCH] Optionally valida audience when it is provided in the token --- src/django_cognito_jwt/validator.py | 20 +++++++++++++------- tests/test_validator.py | 13 +++++++++++++ 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/src/django_cognito_jwt/validator.py b/src/django_cognito_jwt/validator.py index c25d3f3..0eb2a51 100644 --- a/src/django_cognito_jwt/validator.py +++ b/src/django_cognito_jwt/validator.py @@ -57,14 +57,20 @@ def validate(self, token): if not public_key: raise TokenError("No key found for this token") + params = { + "jwt": token, + "key": public_key, + "issuer": self.pool_url, + "algorithms": ["RS256"] + } + + # include audience validation if "aud" claim is provided in token payload + token_payload = jwt.decode(token, verify=False) + if "aud" in token_payload: + params.update({"audience": self.audience}) + try: - jwt_data = jwt.decode( - token, - public_key, - audience=self.audience, - issuer=self.pool_url, - algorithms=["RS256"], - ) + jwt_data = jwt.decode(**params) except (jwt.InvalidTokenError, jwt.ExpiredSignature, jwt.DecodeError) as exc: raise TokenError(str(exc)) return jwt_data diff --git a/tests/test_validator.py b/tests/test_validator.py index 68a4886..b649954 100644 --- a/tests/test_validator.py +++ b/tests/test_validator.py @@ -46,6 +46,19 @@ def test_validate_token_error_aud(cognito_well_known_keys, jwk_private_key_one): auth.validate(token) +def test_validate_token_missing_aud(cognito_well_known_keys, jwk_private_key_one): + token = create_jwt_token( + jwk_private_key_one, + { + "iss": "https://cognito-idp.eu-central-1.amazonaws.com/bla", + # missing aud + "sub": "username", + }, + ) + auth = validator.TokenValidator("eu-central-1", "bla", "my-audience") + auth.validate(token) + + @pytest.mark.parametrize( "is_cache_enabled,responses_calls", [(None, 2), (False, 2), (True, 1)] )