Validate the aud claim of JwtAccessToken

fsinfuhh · Feb 26, 2025 · 0ea65d5 · 0ea65d5
1 parent a9e32ff
commit 0ea65d5
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/src/simple_openid_connect/data.py b/src/simple_openid_connect/data.py
@@ -342,12 +342,13 @@ class JwtAccessToken(OpenidBaseModel):
     scope: Optional[str] = None
     "OPTIONAL. Scopes to which the token grants access. Multiple scopes are encoded space separated. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present."
 
-    def validate_extern(self, issuer: str) -> None:
+    def validate_extern(self, issuer: str, client_id: Union[str, None] = None) -> None:
         """
         Validate this access token with external data for consistency.
 
         :param issuer: The issuer that this token is supposed to originate from.
             Should usually be :data:`ProviderMetadata.issuer`.
+        :param client_id: The client id of this client
         """
         # validate issuer
         validate_that(
@@ -358,6 +359,19 @@ def validate_extern(self, issuer: str) -> None:
         # validate expiry
         validate_that(self.exp > time.time(), "The access token is expired")
 
+        # validate audience
+        if client_id:
+            if isinstance(self.aud, str):
+                validate_that(
+                    self.aud == client_id,
+                    "The access tokens audience does not contain own client_id",
+                )
+            elif isinstance(self.aud, list):
+                validate_that(
+                    client_id in self.aud,
+                    "The access tokens audience does not contain own client_id",
+                )
+
 
 class UserinfoRequest(OpenidBaseModel):
     """