fix: allow other authorized party for client_credentials

samedii · samedii · commit 0cce47ed6f63 · 2021-09-16T23:17:13.000+02:00
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -9,8 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8, 3.9]
-      fail-fast: false
+        python-version: [3.9]
 
     steps:
       - uses: actions/checkout@v2
diff --git a/fastapi_third_party_auth/auth.py b/fastapi_third_party_auth/auth.py
@@ -239,15 +239,15 @@ def authenticate_user(
                 },
             )
 
-            if self.client_id is not None:
-                token_audience = id_token["aud"]
-                if "azp" in id_token:
-                    if id_token["azp"] != self.client_id:
-                        raise JWTError(
-                            f"""Invalid authorized party "azp": {id_token["azp"]}"""
-                        )
-                elif type(token_audience) == list and len(token_audience) >= 1:
-                    raise JWTError('Missing authorized party "azp" in IDToken')
+            if (
+                type(id_token["aud"]) == list
+                and len(id_token["aud"]) >= 1
+                and "azp" not in id_token
+            ):
+                raise JWTError(
+                    'Missing authorized party "azp" in IDToken when there '
+                    "are multiple audiences"
+                )
 
         except (ExpiredSignatureError, JWTError, JWTClaimsError) as error:
             raise HTTPException(status_code=401, detail=f"Unauthorized: {error}")
