Add configurable issuer/audience validation with dynamic claim support#957
Open
diegocastrum wants to merge 9 commits intojazzband:masterfrom
Open
Add configurable issuer/audience validation with dynamic claim support#957diegocastrum wants to merge 9 commits intojazzband:masterfrom
diegocastrum wants to merge 9 commits intojazzband:masterfrom
Conversation
- Add `ISS_CLAIM` and `ALLOWED_ISSUERS` settings for issuer configuration - Implement `set_iss()` and `verify_iss()` methods in `Token` class - Add issuer verification in `Token.verify()` when configured - Call `set_iss()` in `TokenRefreshSerializer` during token rotation - Comment out issuer parameter from `TokenBackend` (WIP) - Disable PyJWT's built-in issuer validation in `decode()` This enables tokens to have dynamic issuers based on request context while maintaining backward compatibility with static `ISSUER` setting. Validation supports three modes: - Static issuer (`ISSUER` setting) - Whitelist validation (`ALLOWED_ISSUERS` setting) - Dynamic issuers (no issuer validation beyond format checks) Note: `TokenBackend` issuer handling still needs refactoring to fully support the dynamic issuer workflow without double-decoding. Fixes jazzband#899
…port - add `ISSUER_VALIDATION` setting (static/dynamic) defaulting to static PyJWT enforcement - pass issuer to `TokenBackend/PyJWT` only in static mode; skip in dynamic mode to allow per-token issuers Add support for `aud` (audience) and `iss` (issuer) claims in tokens Fixes jazzband#899
- add `AUDIENCE_VALIDATION` setting (static/dynamic) and wire backend to skip PyJWT audience checks in dynamic mode - allow `Token.verify_aud` to accept per-token audiences when config is unset and dynamic mode is enabled - expose backend `verify_aud`/`verify_iss` flags and document the new setting Add support for `aud` (audience) and `iss` (issuer) claims in tokens Fixes jazzband#899
diegocastrum
requested review from
Andrew-Chen-Wang and
vgrozdanic
and removed request for
2ykwang and
vgrozdanic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces flexible and configurable validation for the JWT audience (
aud) and issuer (iss) claims in both token generation and verification. It allows projects to choose between strict/static validation (using fixed values from settings) or dynamic validation (accepting values from incoming tokens and validating them according to custom logic). The changes include new settings, backend logic updates, token claim handling, and comprehensive tests for these behaviors.Audience and Issuer Validation Improvements:
AUDIENCE_VALIDATIONandISSUER_VALIDATION, allowing control over whether audience and issuer are validated statically (default, using configured values) or dynamically (accepting values from tokens and validating them in code). [1] [2]TokenBackendto respect the new validation modes, passing or omittingaudienceandissuerto PyJWT as appropriate. [1] [2] [3] [4]Token Claim Handling:
set_iss,set_aud,verify_iss, andverify_audmethods in theTokenclass to support dynamic/static claim population and validation, including support for an allowed issuers whitelist. [1] [2]issandaudclaims during creation, and that these claims are validated according to the selected mode. [1] [2]Documentation Updates:
Testing Enhancements:
Closes #899