python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

JWT `aud` validation raises "Invalid audience" for `audience=None`

Open temple opened this issue 5 months ago • 1 comments

Description

With python-Jose 3.5.0 run on Python 3.12.3

When calling _validate_aud at jose/jwt.py passing the following arguments:

  • claims param receiving an instance of Mapping[str,Any] with a key aud containing a str typed value
  • audience param receiving the value None

An exception of class JWTClaimsError containing the message 'Invalid audience' is raised.

Additional info

When _validate_aud is called with previous parameters, none of the conditions raising exceptions are satisfied except the latest one, appearing in jwt.py on line 366 at commit 393c37476c728782dacc41cd79472627a5b198f3

    if audience not in audience_claims:

temple avatar Jul 22 '25 20:07 temple

Hi, I'll like to work on this issue.

The issue demonstrates that calling _validate_aud with claims that include an aud string and with audience=None ends up raising JWTClaimsError with message "Invalid audience". From the code path referenced, the likely root cause is the check if audience not in audience_claims: which assumes audience is comparable against audience_claims even when audience is None. If the function is intended to accept audience=None to mean “no audience check” or to behave differently, this check will incorrectly raise.

Proposed next steps / PR plan:

  1. Confirm intended behaviour for audience=None in the project docs (should it mean “skip audience validation” or “require that the token has no audience”?). If the intended behaviour is “skip audience validation”, we should short-circuit early when audience is None.
  2. Add a unit test reproducing the failure (claims with aud as str, audience=None should not raise if behaviour is to skip validation; or should raise a clearer error if None is invalid).
  3. Implement a fix (example options):
  4. If audience=None should skip validation:
  5. Add at the top of _validate_aud: if audience is None: return (and document this).
  6. If audience=None is invalid input:
  7. Raise a more explicit TypeError/ValueError explaining audience must be str or sequence.
  8. Run test suite and open a PR referencing this issue.

Before I open a PR: can you confirm the intended semantics of audience=None? If you prefer, I can open a draft PR that implements the “skip validation when audience is None” approach together with tests so maintainers can review.

Faitholo avatar Nov 06 '25 11:11 Faitholo