From 0ea65d58c4239e82e02fe2cd6f0d6446054421d6 Mon Sep 17 00:00:00 2001 From: Tim Hallmann Date: Wed, 26 Feb 2025 17:38:32 +0100 Subject: [PATCH] Validate the aud claim of JwtAccessToken --- src/simple_openid_connect/data.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/simple_openid_connect/data.py b/src/simple_openid_connect/data.py index 3c1714d..e58b034 100644 --- a/src/simple_openid_connect/data.py +++ b/src/simple_openid_connect/data.py @@ -342,12 +342,13 @@ class JwtAccessToken(OpenidBaseModel): scope: Optional[str] = None "OPTIONAL. Scopes to which the token grants access. Multiple scopes are encoded space separated. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present." - def validate_extern(self, issuer: str) -> None: + def validate_extern(self, issuer: str, client_id: Union[str, None] = None) -> None: """ Validate this access token with external data for consistency. :param issuer: The issuer that this token is supposed to originate from. Should usually be :data:`ProviderMetadata.issuer`. + :param client_id: The client id of this client """ # validate issuer validate_that( @@ -358,6 +359,19 @@ def validate_extern(self, issuer: str) -> None: # validate expiry validate_that(self.exp > time.time(), "The access token is expired") + # validate audience + if client_id: + if isinstance(self.aud, str): + validate_that( + self.aud == client_id, + "The access tokens audience does not contain own client_id", + ) + elif isinstance(self.aud, list): + validate_that( + client_id in self.aud, + "The access tokens audience does not contain own client_id", + ) + class UserinfoRequest(OpenidBaseModel): """