Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jwt audience validation #1116

Merged
merged 3 commits into from Oct 26, 2020
Merged

Jwt audience validation #1116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
82a9dc6
handle array-based jwt audience data
leemhenson Aug 10, 2020
fec147a
array audience in jwt authorizer test
leemhenson Oct 23, 2020
4e9fa6d
sync jwt authorizer error message with tests
leemhenson Oct 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 9 additions & 6 deletions src/events/http/createJWTAuthScheme.js
View file
Open in desktop
Expand Up @@ -53,12 +53,15 @@ export default function createAuthScheme(jwtOptions) {
return Boom.unauthorized('JWT Token not from correct issuer url')
}

if (
jwtOptions.audience.filter((x) =>
Array.isArray(aud) ? aud.includes(x) : aud === x,
).length === 0 &&
!jwtOptions.audience.includes(clientId)
) {
const validAudiences = Array.isArray(jwtOptions.audience)
? jwtOptions.audience
: [jwtOptions.audience]
const providedAudiences = Array.isArray(aud) ? aud : [aud]
const validAudienceProvided = providedAudiences.some((a) =>
validAudiences.includes(a),
)

if (!validAudienceProvided && !jwtOptions.audience.includes(clientId)) {
serverlessLog(`JWT Token does not contain correct audience`)
return Boom.unauthorized(
'JWT Token does not contain correct audience',
Expand Down
19 changes: 18 additions & 1 deletion tests/integration/jwt-authorizer/jwt-authorizer.test.js
View file
Open in desktop
Expand Up @@ -58,6 +58,11 @@ const correctAudience = {
}
delete correctAudience.client_id

const correctAudienceInArray = {
...correctAudience,
aud: [baseJWT.client_id],
}

const multipleCorrectAudience = {
...correctAudience,
aud: [baseJWT.client_id, 'https://api.example.com/'],
Expand Down Expand Up @@ -108,7 +113,19 @@ describe('jwt authorizer tests', () => {
path: '/dev/user1',
status: 200,
},

{
description: 'Valid JWT with audience in array',
expected: {
status: 'authorized',
requestContext: {
claims: correctAudienceInArray,
scopes: ['profile', 'email'],
},
},
jwt: correctAudienceInArray,
path: '/dev/user1',
status: 200,
},
{
description:
'Valid JWT with multiple audience values (one matching single configured audience)',
Expand Down