PyJWT > 0.4.0 enforces audience claim checking

[ajkavanagh]

This broke my app as I use audiences to distinguish between different parts of the service - auth and application parts.

PyJWT enforces an audience check (https://github.com/jpadilla/pyjwt) if the audience is present in the JWT:

import jwt

payload = {
    'some': 'payload',
    'aud': 'urn:foo'
}

token = jwt.encode(payload, 'secret')
decoded = jwt.decode(token, 'secret', audience='urn:foo')

There is also (as of PyJWT 1.1.0) a way of disabling the audience check:

You may also override exception checking via an options dictionary. The default options are as follows:

options = {
   'verify_signature': True,
   'verify_exp': True,
   'verify_nbf': True,
   'verify_iat': True,
   'verify_aud': True
}

You can skip individual checks by passing an options dictionary with certain keys set to False. For example, if you want to verify the signature of a JWT that has already expired.

>>> options = {
>>>    'verify_exp': True,
>>> }

>>> jwt.decode(encoded, 'secret', options=options)
{u'some': u'payload'}

Thus, by default I think that the options should be left at the default, but that there is a mechanism to configure pyramid_jwtauth to disable any checks: it's then up to the app to re-introduce those checks manually if wanted.

So, I will add the following items to the configuration:

jwtauth.disable_verify_signature = true (default false)
jwtauth.disable_verify_exp = true (default false)
jwtauth.disable_verify_nbf = true (default false)
jwtauth.disable_verify_iat = true (default false)
jwtauth.disable_verify_aud = true (default false)

i.e. the default will be that ALL the checks will be done, with the option to disable them globally. I can't, presently, think of a way of doing it per authenticated_userid or unauthenticated_userid call.

[ajkavanagh]

Missed 'fixes' in the commit. Anyway, this is sorted as per 0.1.2 version of the libary.