diff --git a/src/events/http/createJWTAuthScheme.js b/src/events/http/createJWTAuthScheme.js index c885640b8..5ab1c56fc 100644 --- a/src/events/http/createJWTAuthScheme.js +++ b/src/events/http/createJWTAuthScheme.js @@ -53,12 +53,15 @@ export default function createAuthScheme(jwtOptions) { return Boom.unauthorized('JWT Token not from correct issuer url') } - if ( - jwtOptions.audience.filter((x) => - Array.isArray(aud) ? aud.includes(x) : aud === x, - ).length === 0 && - !jwtOptions.audience.includes(clientId) - ) { + const validAudiences = Array.isArray(jwtOptions.audience) + ? jwtOptions.audience + : [jwtOptions.audience] + const providedAudiences = Array.isArray(aud) ? aud : [aud] + const validAudienceProvided = providedAudiences.some((a) => + validAudiences.includes(a), + ) + + if (!validAudienceProvided && !jwtOptions.audience.includes(clientId)) { serverlessLog(`JWT Token does not contain correct audience`) return Boom.unauthorized( 'JWT Token does not contain correct audience', diff --git a/tests/integration/jwt-authorizer/jwt-authorizer.test.js b/tests/integration/jwt-authorizer/jwt-authorizer.test.js index ca3b8a6d4..06f11c058 100644 --- a/tests/integration/jwt-authorizer/jwt-authorizer.test.js +++ b/tests/integration/jwt-authorizer/jwt-authorizer.test.js @@ -58,6 +58,11 @@ const correctAudience = { } delete correctAudience.client_id +const correctAudienceInArray = { + ...correctAudience, + aud: [baseJWT.client_id], +} + const multipleCorrectAudience = { ...correctAudience, aud: [baseJWT.client_id, 'https://api.example.com/'], @@ -108,7 +113,19 @@ describe('jwt authorizer tests', () => { path: '/dev/user1', status: 200, }, - + { + description: 'Valid JWT with audience in array', + expected: { + status: 'authorized', + requestContext: { + claims: correctAudienceInArray, + scopes: ['profile', 'email'], + }, + }, + jwt: correctAudienceInArray, + path: '/dev/user1', + status: 200, + }, { description: 'Valid JWT with multiple audience values (one matching single configured audience)',