Add audience claim verification to all verify methods (#422)

* add audience claim verification to all verify methods

* fix lint

* fix union

---------

Co-authored-by: Reuven Zabirov <[email protected]>
Co-authored-by: Omer C <[email protected]>
Co-authored-by: Reuven Zabirov <[email protected]>

Author: 3 people

descope/auth.py

@@ -5,9 +5,9 @@
 import os
 import platform
 import re
-from collections.abc import Iterable
 from http import HTTPStatus
 from threading import Lock
+from typing import Iterable
 
 import jwt
 
@@ -188,7 +188,9 @@ def do_delete(
         self._raise_from_response(response)
         return response
 
-    def exchange_token(self, uri, code: str) -> dict:
+    def exchange_token(
+        self, uri, code: str, audience: str | None | Iterable[str] = None
+    ) -> dict:
         if not code:
             raise AuthException(
                 400,
@@ -200,7 +202,7 @@ def exchange_token(self, uri, code: str) -> dict:
         response = self.do_post(uri=uri, body=body, params=None)
         resp = response.json()
         jwt_response = self.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME), audience
         )
         return jwt_response
 
@@ -682,7 +684,12 @@ def validate_and_refresh_session(
                 )
             return self.refresh_session(refresh_token, audience)
 
-    def select_tenant(self, tenant_id: str, refresh_token: str) -> dict:
+    def select_tenant(
+        self,
+        tenant_id: str,
+        refresh_token: str,
+        audience: str | None | Iterable[str] = None,
+    ) -> dict:
         if not refresh_token:
             raise AuthException(
                 400,
@@ -697,7 +704,7 @@ def select_tenant(self, tenant_id: str, refresh_token: str) -> dict:
 
         resp = response.json()
         jwt_response = self.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/authmethod/magiclink.py

@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+from typing import Iterable
+
 from descope._auth_base import AuthBase
 from descope.auth import Auth
 from descope.common import (
@@ -85,13 +87,13 @@ def sign_up_or_in(
         response = self._auth.do_post(uri, body, None)
         return Auth.extract_masked_address(response.json(), method)
 
-    def verify(self, token: str) -> dict:
+    def verify(self, token: str, audience: str | None | Iterable[str] = None) -> dict:
         uri = EndpointsV1.verify_magiclink_auth_path
         body = MagicLink._compose_verify_body(token)
         response = self._auth.do_post(uri, body, None)
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/authmethod/otp.py

@@ -1,5 +1,7 @@
 from __future__ import annotations
 
+from typing import Iterable
+
 from descope._auth_base import AuthBase
 from descope.auth import Auth
 from descope.common import (
@@ -124,7 +126,13 @@ def sign_up_or_in(
         response = self._auth.do_post(uri, body)
         return Auth.extract_masked_address(response.json(), method)
 
-    def verify_code(self, method: DeliveryMethod, login_id: str, code: str) -> dict:
+    def verify_code(
+        self,
+        method: DeliveryMethod,
+        login_id: str,
+        code: str,
+        audience: str | None | Iterable[str] = None,
+    ) -> dict:
         """
         Verify the validity of an OTP code entered by an end user during sign_in or sign_up.
         (This function is not needed if you are using the sign_up_or_in function.
@@ -153,7 +161,7 @@ def verify_code(self, method: DeliveryMethod, login_id: str, code: str) -> dict:
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/authmethod/password.py

@@ -1,12 +1,20 @@
 from __future__ import annotations
 
+from typing import Iterable
+
 from descope._auth_base import AuthBase
 from descope.common import REFRESH_SESSION_COOKIE_NAME, EndpointsV1
 from descope.exceptions import ERROR_TYPE_INVALID_ARGUMENT, AuthException
 
 
 class Password(AuthBase):
-    def sign_up(self, login_id: str, password: str, user: dict | None = None) -> dict:
+    def sign_up(
+        self,
+        login_id: str,
+        password: str,
+        user: dict | None = None,
+        audience: str | None | Iterable[str] = None,
+    ) -> dict:
         """
         Sign up (create) a new user using a login ID and password.
             (optional) Include additional user metadata that you wish to save.
@@ -42,14 +50,15 @@ def sign_up(self, login_id: str, password: str, user: dict | None = None) -> dic
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 
     def sign_in(
         self,
         login_id: str,
         password: str,
+        audience: str | None | Iterable[str] = None,
     ) -> dict:
         """
         Sign in by verifying the validity of a password entered by an end user.
@@ -82,7 +91,7 @@ def sign_in(
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 
@@ -166,7 +175,13 @@ def update(self, login_id: str, new_password: str, refresh_token: str) -> None:
             uri, {"loginId": login_id, "newPassword": new_password}, None, refresh_token
         )
 
-    def replace(self, login_id: str, old_password: str, new_password: str) -> dict:
+    def replace(
+        self,
+        login_id: str,
+        old_password: str,
+        new_password: str,
+        audience: str | None | Iterable[str] = None,
+    ) -> dict:
         """
         Replace a valid active password with a new one. The old_password is used to
         authenticate the user. If the user cannot be authenticated, this operation
@@ -213,7 +228,7 @@ def replace(self, login_id: str, old_password: str, new_password: str) -> dict:
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/authmethod/totp.py

@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import Iterable, Optional, Union
 
 from descope._auth_base import AuthBase
 from descope.common import (
@@ -49,6 +49,7 @@ def sign_in_code(
         code: str,
         login_options: Optional[LoginOptions] = None,
         refresh_token: Optional[str] = None,
+        audience: Union[str, None, Iterable[str]] = None,
     ) -> dict:
         """
         Sign in by verifying the validity of a TOTP code entered by an end user.
@@ -86,7 +87,7 @@ def sign_in_code(
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/authmethod/webauthn.py

@@ -1,4 +1,4 @@
-from typing import Optional
+from typing import Iterable, Optional, Union
 
 from requests import Response
 
@@ -41,7 +41,12 @@ def sign_up_start(
 
         return response.json()
 
-    def sign_up_finish(self, transaction_id: str, response: Response) -> dict:
+    def sign_up_finish(
+        self,
+        transaction_id: str,
+        response: Response,
+        audience: Union[str, None, Iterable[str]] = None,
+    ) -> dict:
         """
         Docs
         """
@@ -61,7 +66,7 @@ def sign_up_finish(self, transaction_id: str, response: Response) -> dict:
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 
@@ -93,7 +98,12 @@ def sign_in_start(
 
         return response.json()
 
-    def sign_in_finish(self, transaction_id: str, response: Response) -> dict:
+    def sign_in_finish(
+        self,
+        transaction_id: str,
+        response: Response,
+        audience: Union[str, None, Iterable[str]] = None,
+    ) -> dict:
         """
         Docs
         """
@@ -113,7 +123,7 @@ def sign_in_finish(self, transaction_id: str, response: Response) -> dict:
 
         resp = response.json()
         jwt_response = self._auth.generate_jwt_response(
-            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), None
+            resp, response.cookies.get(REFRESH_SESSION_COOKIE_NAME, None), audience
         )
         return jwt_response
 

descope/descope_client.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-from collections.abc import Iterable
+from typing import Iterable
 
 import requests