do not validate the audience with the jwt decode since we have a more thorough check for it later w/ burnettk (#1109)

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2024-02-26 14:12:36 -05:00 · 2024-02-26 14:12:36 -05:00 · 80886b53bc
parent 13848e85e3
commit 80886b53bc
1 changed files with 7 additions and 2 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -99,7 +99,7 @@ class AuthenticationService:

    @classmethod
    def valid_audiences(cls, authentication_identifier: str) -> list[str]:
-        return [cls.client_id(authentication_identifier)]
+        return [cls.client_id(authentication_identifier), "account"]

    @classmethod
    def server_url(cls, authentication_identifier: str) -> str:
@ -181,12 +181,17 @@ class AuthenticationService:
                x509_cert = load_der_x509_certificate(decoded_certificate, default_backend())
                public_key = x509_cert.public_key()

+            # tokens generated from the cli have an aud like: [ "realm-management", "account" ]
+            # while tokens generated from frontend have an aud like: "spiffworkflow-backend."
+            # as such, we cannot simply pull the first valid audience out of cls.valid_audiences(authentication_identifier)
+            # and then shove it into decode (it will raise), but we need the algorithm from validate_decoded_token that checks
+            # if the audience in the token matches any of the valid audience values. Therefore do not check aud here.
            return jwt.decode(
                token,
                public_key,
                algorithms=[algorithm],
                audience=cls.valid_audiences(authentication_identifier)[0],
-                options={"verify_exp": False},
+                options={"verify_exp": False, "verify_aud": False},
            )

    @staticmethod