Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make token validation compatible with AccessToken where "aud" claim is not provided #33

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

martinzugnoni
Copy link

As described here:
#22

The AccessToken validation is currently broken because the library is mandatorily checking the audience (aud) claim, which is not included in the AccessToken payload.

These few changes should detect it dynamically and check "aud" claim only when it is included in the token.

@CuriousLearner
Copy link

Hi @mikedebock !

Any chance if this issue will be merged to allow optional aud field in JWT tokens?

It seems like Cognito provides aud claim only in IDToken and not access token.

As per RFC, this claim should be optional.

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Use of this claim is OPTIONAL.

I see that the lib was updated last in December 2021. Any chance of adding this feature now and making a release?

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants