fix(auth): support wildcard audience validation for OAuth providers without aud claim

jmrobles · jmrobles · commit bdcc89a93fea · 2025-11-11T08:40:13.000+01:00
The JWT validator's wildcard audience feature (audience: '*') was not working as documented.
When configured with audience: '*', the validator still required tokens to have an aud claim,
preventing Dynamic Client Registration (DCR) from working with OAuth providers that don't include
aud in access tokens (e.g., AWS Cognito which uses client_id instead).

Changes:
- Make audience validation conditional in jwt.verify() options
- Only require aud claim when config.audience !== '*'
- Update debug logging to handle tokens without aud claim

This enables full DCR support for all RFC-compliant OAuth 2.0/2.1 providers.
diff --git a/src/auth/validators/jwt-validator.ts b/src/auth/validators/jwt-validator.ts
@@ -107,11 +107,15 @@ export class JWTValidator {
     return new Promise((resolve, reject) => {
       const options: VerifyOptions = {
         algorithms: this.config.algorithms as jwt.Algorithm[],
-        audience: this.config.audience,
         issuer: this.config.issuer,
         complete: false,
       };
 
+      // Only validate audience if not set to wildcard
+      if (this.config.audience !== '*') {
+        options.audience = this.config.audience;
+      }
+
       jwt.verify(token, publicKey, options, (err, decoded) => {
         if (err) {
           if (err.name === 'TokenExpiredError') {
@@ -147,7 +151,8 @@ export class JWTValidator {
           return;
         }
 
-        if (!claims.aud) {
+        // Only require aud claim if not set to wildcard
+        if (this.config.audience !== '*' && !claims.aud) {
           reject(new Error('Token missing required claim: aud'));
           return;
         }
@@ -157,9 +162,11 @@ export class JWTValidator {
           return;
         }
 
-        logger.debug(
-          `Token claims validated - sub: ${claims.sub}, iss: ${claims.iss}, aud: ${Array.isArray(claims.aud) ? claims.aud.join(', ') : claims.aud}`
-        );
+        const audInfo = claims.aud
+          ? `aud: ${Array.isArray(claims.aud) ? claims.aud.join(', ') : claims.aud}`
+          : 'aud: <not present - wildcard mode>';
+
+        logger.debug(`Token claims validated - sub: ${claims.sub}, iss: ${claims.iss}, ${audInfo}`);
         resolve(claims);
       });
     });
