Open robrap opened 1 year ago
@robrap what do you mean by "Clean up" here. Should this setting be removed or should we be updating everything so that it defaults to true? Something else?
Also it sounds like there is a second small task to not encrypt the Audience data in the JWT? How would that work, isn't the Audience a part of the payload?
JWT audience is validated if
JWT_VERIFY_AUDIENCE
is set to True. See https://github.com/openedx/edx-drf-extensions/blob/ae7416f200bb7595b0172eb345e669c7fbcbc903/edx_rest_framework_extensions/auth/jwt/decoder.py#L260.However, since we don't have a strong stance on this,
JWT_VERIFY_AUDIENCE
is set to False in many places, including in edx.org settings. See https://github.com/search?q=(org%3Aopenedx%20OR%20org%3Aedx)%20JWT_VERIFY_AUDIENCE&type=codeAdditionally, in many edx.org settings, the AUDIENCE setting is unnecessarily encrypted, which leads to further confusion.