Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT token contains multiple audience values (eg, Auth0) #1070

Merged
merged 1 commit into from Aug 26, 2020
Merged

JWT token contains multiple audience values (eg, Auth0) #1070

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 7 additions & 3 deletions src/events/http/createJWTAuthScheme.js
View file
Open in desktop
Expand Up @@ -54,11 +54,15 @@ export default function createAuthScheme(jwtOptions) {
}

if (
!jwtOptions.audience.includes(aud) &&
jwtOptions.audience.filter((x) =>
Array.isArray(aud) ? aud.includes(x) : aud === x,
).length === 0 &&
!jwtOptions.audience.includes(clientId)
) {
serverlessLog(`JWT Token not from correct audience`)
return Boom.unauthorized('JWT Token not from correct audience')
serverlessLog(`JWT Token does not contain correct audience`)
return Boom.unauthorized(
'JWT Token does not contain correct audience',
)
}

let scopes = null
Expand Down
24 changes: 22 additions & 2 deletions tests/integration/jwt-authorizer/jwt-authorizer.test.js
View file
Open in desktop
Expand Up @@ -58,6 +58,11 @@ const correctAudience = {
}
delete correctAudience.client_id

const multipleCorrectAudience = {
...correctAudience,
aud: [baseJWT.client_id, 'https://api.example.com/'],
}

const noScopes = {
...baseJWT,
}
Expand Down Expand Up @@ -104,6 +109,21 @@ describe('jwt authorizer tests', () => {
status: 200,
},

{
description:
'Valid JWT with multiple audience values (one matching single configured audience)',
expected: {
status: 'authorized',
requestContext: {
claims: multipleCorrectAudience,
scopes: ['profile', 'email'],
},
},
jwt: multipleCorrectAudience,
path: '/dev/user1',
status: 200,
},

{
description: 'Valid JWT with scopes',
expected: {
Expand Down Expand Up @@ -144,7 +164,7 @@ describe('jwt authorizer tests', () => {
expected: {
statusCode: 401,
error: 'Unauthorized',
message: 'JWT Token not from correct audience',
message: 'JWT Token does not contain correct audience',
},
jwt: wrongClientId,
path: '/dev/user1',
Expand All @@ -155,7 +175,7 @@ describe('jwt authorizer tests', () => {
expected: {
statusCode: 401,
error: 'Unauthorized',
message: 'JWT Token not from correct audience',
message: 'JWT Token does not contain correct audience',
},
jwt: wrongAudience,
path: '/dev/user1',
Expand Down