The aud in a json web token can be a string or an array -- so also deal with the case that it is an array

2025-01-27 01:40:48 +00:00 · 2023-02-14 19:39:35 -05:00 · 2023-02-14 19:39:35 -05:00 · c8a83f80b6
commit c8a83f80b6
parent 735e7f726c
1 changed files with 2 additions and 4 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -169,10 +169,8 @@ class AuthenticationService:
        iat = decoded_token["iat"]
        if iss != cls.server_url():
            valid = False
-        elif aud not in (
-            cls.client_id(),
-            "account",
-        ):
+        elif aud not in (cls.client_id(), "account") and\
+                aud != [cls.client_id(), "account"]:
            valid = False
        elif azp and azp not in (
            cls.client_id(),