search

labd / django-cognito-jwt

An Authentication backend for Django Rest Framework for AWS Cognito JWT tokens
MIT License
177 stars 59 forks source link

Make token validation compatible with AccessToken where "aud" claim is not provided #33

Open martinzugnoni opened 4 years ago

martinzugnoni commented 4 years ago

As described here: https://github.com/labd/django-cognito-jwt/issues/22

The AccessToken validation is currently broken because the library is mandatorily checking the audience (aud) claim, which is not included in the AccessToken payload.

These few changes should detect it dynamically and check "aud" claim only when it is included in the token.

CuriousLearner commented 1 year ago

Hi @mikedebock !

Any chance if this issue will be merged to allow optional aud field in JWT tokens?

It seems like Cognito provides aud claim only in IDToken and not access token.

As per RFC, this claim should be optional.

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Use of this claim is OPTIONAL.

I see that the lib was updated last in December 2021. Any chance of adding this feature now and making a release?

Thanks!