[CHANGE] [AC] flipped audience and sub for consistency with JWT uses

nats-io · Jan 13, 2023 · 543f564 · 543f564
1 parent 4d52135
commit 543f564
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/server/auth_callout.go b/server/auth_callout.go
@@ -204,8 +204,13 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options) (authorize
 	}
 	defer acc.unsubscribeInternal(sub)
 
-	// Build our request claims.
-	claim := jwt.NewAuthorizationRequestClaims(AuthRequestSubject)
+	// Build our request claims - jwt subject should be nkey
+	jwtSub := acc.Name
+	if opts.AuthCallout != nil {
+		jwtSub = opts.AuthCallout.Issuer
+	}
+	claim := jwt.NewAuthorizationRequestClaims(jwtSub)
+	claim.Audience = AuthRequestSubject
 	// Set expected public user nkey.
 	claim.UserNkey = pub
 
@@ -229,11 +234,6 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options) (authorize
 
 	authTimeout := secondsToDuration(s.getOpts().AuthTimeout)
 	claim.Expires = time.Now().Add(time.Duration(authTimeout)).UTC().Unix()
-	if opts.AuthCallout != nil {
-		claim.Audience = opts.AuthCallout.Issuer
-	} else {
-		claim.Audience = acc.Name
-	}
 
 	// Grab client info for the request.
 	c.mu.Lock()