pyjwt icon indicating copy to clipboard operation
pyjwt copied to clipboard
verified publisher icon jpadilla

Provide invalid audiences in exception message

Open WizzardMaker opened this issue 3 months ago • 0 comments

The audience check currently either succeeds or reports Audience doesn't match. This makes it hard to track the incorrect audiences (either for security reasons, or for helping with migrating audiences/clients)

I don't know if that is intended, but it would be nice to have the library log the audience. Especially because the only other way to get the used audience is to either check the audience yourself (with probably just the same logic, but that would force us to do that "critical" check ourselves) or check the token twice, once to get the token data and a second time for the audience check

The simplest way would be:

InvalidAudienceError(
                    "Audience "
                    + str(audience_claims)
                    + " is not in approved list: "
                    + str(audience)
                )

when throwing the error.

I'm happy to provide the PR, but don't want to start something like that, if that's not wanted.

WizzardMaker avatar Oct 08 '25 14:10 WizzardMaker