django-cognito-jwt icon indicating copy to clipboard operation
django-cognito-jwt copied to clipboard

Published 20 hours ago verified publisher icon labd

Make token validation compatible with AccessToken where "aud" claim is not provided

Open martinzugnoni opened this issue 5 years ago • 1 comments

As described here: https://github.com/labd/django-cognito-jwt/issues/22

The AccessToken validation is currently broken because the library is mandatorily checking the audience (aud) claim, which is not included in the AccessToken payload.

These few changes should detect it dynamically and check "aud" claim only when it is included in the token.

martinzugnoni avatar Jun 27 '20 14:06 martinzugnoni

Hi @mikedebock !

Any chance if this issue will be merged to allow optional aud field in JWT tokens?

It seems like Cognito provides aud claim only in IDToken and not access token.

As per RFC, this claim should be optional.

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Use of this claim is OPTIONAL.

I see that the lib was updated last in December 2021. Any chance of adding this feature now and making a release?

Thanks!

CuriousLearner avatar Sep 30 '22 17:09 CuriousLearner