Add support for configurable audience (HarryMWinters#15) 🔮

- Adds optional audience argument to get_auth.
- Makes audience default to Client ID when unspecified.
- Adds tests for new functionality.
- Updates docs.

Author: BoneyAz

README.md

@@ -45,6 +45,8 @@ from fastapi_oidc import get_auth
 
 OIDC_config = {
     "client_id": "0oa1e3pv9opbyq2Gm4x7",
+    # Audience can be omitted in which case the aud value defaults to client_id
+    "audience": "https://yourapi.url.com/api",
     "base_authorization_server_uri": "https://dev-126594.okta.com",
     "issuer": "dev-126594.okta.com",
     "signature_cache_ttl": 3600,

fastapi_oidc/auth.py

@@ -17,6 +17,7 @@ def test_auth(authenticated_user: AuthenticatedUser = Depends(authenticate_user)
 """
 
 from typing import Callable
+from typing import Optional
 
 from fastapi import Depends
 from fastapi import HTTPException
@@ -33,6 +34,7 @@ def test_auth(authenticated_user: AuthenticatedUser = Depends(authenticate_user)
 def get_auth(
     *_,
     client_id: str,
+    audience: Optional[str] = None,
     base_authorization_server_uri: str,
     issuer: str,
     signature_cache_ttl: int,
@@ -44,6 +46,8 @@ def get_auth(
 
     Args:
         client_id (str): This string is provided when you register with your resource server.
+        audience (str): (Optional) The audience string configured by your auth server.
+            If not set defaults to client_id
         base_authorization_server_uri(URL): Everything before /.wellknow in your auth server URL.
             I.E. https://dev-123456.okta.com
         issuer (URL): Same as base_authorization. This is used to generating OpenAPI3.0 docs which
@@ -94,8 +98,7 @@ def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
                 id_token,
                 key,
                 algorithms,
-                # TODO Check that client ID will always equal audience
-                audience=client_id,
+                audience=audience if audience else client_id,
                 issuer=issuer,
                 # Disabled at_hash check since we aren't using the access token
                 options={"verify_at_hash": False},

tests/test_auth.py

@@ -35,6 +35,15 @@ class Fixtures:
 
 
 TEST_CONFIG = {
+    "client_id": "CongenitalOptimist",
+    "audience": "NeverAgain",
+    "base_authorization_server_uri": "WhatAreTheCivilianApplications?",
+    "issuer": "PokeItWithAStick",
+    "signature_cache_ttl": 6e3,
+}
+
+# Test configuration without audience
+TEST_CONFIG_NO_AUD = {
     "client_id": "CongenitalOptimist",
     "base_authorization_server_uri": "WhatAreTheCivilianApplications?",
     "issuer": "PokeItWithAStick",
@@ -46,7 +55,39 @@ def _make_token(
     email: str,
     private_key: str = Fixtures.TESTING_PRIVATE_KEY,
     client_id: str = str(TEST_CONFIG["client_id"]),
+    audience: str = str(TEST_CONFIG["audience"]),
     issuer: str = str(TEST_CONFIG["issuer"]),
+) -> str:
+    now = int(time.time())
+    return jwt.encode(
+        {
+            "aud": audience,
+            "iss": issuer,
+            "email": email,
+            "name": "SweetAndFullOfGrace",
+            "preferred_username": "Sweet",
+            "exp": now + 30,
+            "auth_time": now,
+            "sub": "foo",
+            "ver": "1",
+            "iat": now,
+            "jti": str(uuid.uuid4()),
+            "amr": [],
+            "idp": "",
+            "nonce": "",
+            "at_hash": "",
+        },
+        private_key,
+        algorithm="RS256",
+    ).decode("UTF-8")
+
+
+# Make a token where audience is client_id
+def _make_token_no_aud(
+    email: str,
+    private_key: str = Fixtures.TESTING_PRIVATE_KEY,
+    client_id: str = str(TEST_CONFIG_NO_AUD["client_id"]),
+    issuer: str = str(TEST_CONFIG_NO_AUD["issuer"]),
 ) -> str:
     now = int(time.time())
     return jwt.encode(
@@ -87,3 +128,22 @@ class functions:
     authenticate_user = auth.get_auth(**TEST_CONFIG)
     IDToken = authenticate_user(auth_header=f"Bearer {token}")
     assert IDToken.email == email  # nosec
+
+
+# Ensure that when no audience is supplied, that the audience defaults to client ID
+def test__authenticate_user_no_aud(monkeypatch):
+    def mock_discovery(*args, **kwargs):
+        class functions:
+            auth_server = lambda **_: Fixtures.OIDC_DISCOVERY_RESPONSE
+            public_keys = lambda _: Fixtures.TESTING_PUBLIC_KEY
+            signing_algos = lambda x: x["id_token_signing_alg_values_supported"]
+
+        return functions
+
+    monkeypatch.setattr(auth.discovery, "configure", mock_discovery)
+    email = "AnticipationOfANewLoversArrivalThe@VeryLittleGravitasIndeed"
+    token = _make_token_no_aud(email=email)
+    authenticate_user = auth.get_auth(**TEST_CONFIG_NO_AUD)
+    IDToken = authenticate_user(auth_header=f"Bearer {token}")
+    assert IDToken.email == email  # nosec
+    assert IDToken.aud == TEST_CONFIG_NO_AUD["client_id"]