Open martinzugnoni opened 4 years ago
Hi @mikedebock !
Any chance if this issue will be merged to allow optional aud
field in JWT tokens?
It seems like Cognito provides aud
claim only in IDToken and not access token.
As per RFC, this claim should be optional.
If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
Use of this claim is OPTIONAL.
I see that the lib was updated last in December 2021. Any chance of adding this feature now and making a release?
Thanks!
As described here: https://github.com/labd/django-cognito-jwt/issues/22
The AccessToken validation is currently broken because the library is mandatorily checking the audience (aud) claim, which is not included in the AccessToken payload.
These few changes should detect it dynamically and check "aud" claim only when it is included in the token.