Merge pull request #1070 from rloomans/jwt-token-with-multiple-aud-va…

…lues JWT token contains multiple audience values (eg, Auth0)
dherault · Aug 26, 2020 · c0bcba6 · c0bcba6
2 parents b31f89d + d50bf81
commit c0bcba6
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/src/events/http/createJWTAuthScheme.js b/src/events/http/createJWTAuthScheme.js
@@ -54,11 +54,15 @@ export default function createAuthScheme(jwtOptions) {
         }
 
         if (
-          !jwtOptions.audience.includes(aud) &&
+          jwtOptions.audience.filter((x) =>
+            Array.isArray(aud) ? aud.includes(x) : aud === x,
+          ).length === 0 &&
           !jwtOptions.audience.includes(clientId)
         ) {
-          serverlessLog(`JWT Token not from correct audience`)
-          return Boom.unauthorized('JWT Token not from correct audience')
+          serverlessLog(`JWT Token does not contain correct audience`)
+          return Boom.unauthorized(
+            'JWT Token does not contain correct audience',
+          )
         }
 
         let scopes = null

diff --git a/tests/integration/jwt-authorizer/jwt-authorizer.test.js b/tests/integration/jwt-authorizer/jwt-authorizer.test.js
@@ -58,6 +58,11 @@ const correctAudience = {
 }
 delete correctAudience.client_id
 
+const multipleCorrectAudience = {
+  ...correctAudience,
+  aud: [baseJWT.client_id, 'https://api.example.com/'],
+}
+
 const noScopes = {
   ...baseJWT,
 }
@@ -104,6 +109,21 @@ describe('jwt authorizer tests', () => {
       status: 200,
     },
 
+    {
+      description:
+        'Valid JWT with multiple audience values (one matching single configured audience)',
+      expected: {
+        status: 'authorized',
+        requestContext: {
+          claims: multipleCorrectAudience,
+          scopes: ['profile', 'email'],
+        },
+      },
+      jwt: multipleCorrectAudience,
+      path: '/dev/user1',
+      status: 200,
+    },
+
     {
       description: 'Valid JWT with scopes',
       expected: {
@@ -144,7 +164,7 @@ describe('jwt authorizer tests', () => {
       expected: {
         statusCode: 401,
         error: 'Unauthorized',
-        message: 'JWT Token not from correct audience',
+        message: 'JWT Token does not contain correct audience',
       },
       jwt: wrongClientId,
       path: '/dev/user1',
@@ -155,7 +175,7 @@ describe('jwt authorizer tests', () => {
       expected: {
         statusCode: 401,
         error: 'Unauthorized',
-        message: 'JWT Token not from correct audience',
+        message: 'JWT Token does not contain correct audience',
       },
       jwt: wrongAudience,
       path: '/dev/user1',