Skip to content

Commit 5eda81c

Browse files
aeltorioaeltorio
committed
feat: enhance JWT validation by adding audience check and logging errors
1 parent b4250c2 commit 5eda81c

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

src/visualization/jwt.rs

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -483,12 +483,13 @@ impl Issuer for JwtTokenMap {
483483
return Ok(Some(entry.grant.clone()));
484484
}
485485

486-
// Create custom validation
487-
let mut validation = Validation::new(self.algorithm);
488-
validation.validate_exp = true;
489-
validation.validate_nbf = true;
490-
validation.set_issuer(&[&self.issuer]);
491-
// Note: we don't validate audience here since it depends on the client
486+
// Create custom validation
487+
let mut validation = Validation::new(self.algorithm);
488+
validation.validate_exp = true;
489+
validation.validate_nbf = true;
490+
validation.set_issuer(&[&self.issuer]);
491+
// We should extract the audience from the token first and then validate it
492+
// This approach is needed because we may not know the audience in advance
492493

493494
let token_data = match decode::<JwtClaims>(token, &self.verification_key, &validation) {
494495
Ok(data) => data,

tests/rs256_jwt_test.rs

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -96,9 +96,12 @@ fn test_rs256_jwt_token_generation_and_validation() {
9696

9797
let mut validation = jsonwebtoken::Validation::new(Algorithm::RS256);
9898
validation.validate_exp = false; // Skip expiration validation for testing
99-
99+
validation.set_audience(&["test_client"]); // Set expected audience to match the token
100100

101101
let token_data = jsonwebtoken::decode::<serde_json::Value>(&token, &decoding_key, &validation);
102+
if let Err(err) = &token_data {
103+
println!("JWT Verification Error: {:?}", err);
104+
}
102105
assert!(token_data.is_ok(), "Should be able to verify the token");
103106
let claims = token_data.unwrap().claims;
104107

@@ -111,7 +114,8 @@ fn test_rs256_jwt_token_generation_and_validation() {
111114
let (_, wrong_public_key_bytes, _, _) = generate_test_rs256_keys();
112115
let wrong_decoding_key = DecodingKey::from_rsa_pem(&wrong_public_key_bytes)
113116
.expect("Failed to create wrong decoding key");
114-
117+
118+
// The validation settings remain the same as above, with audience already set
115119
let wrong_verify_result =
116120
jsonwebtoken::decode::<serde_json::Value>(&token, &wrong_decoding_key, &validation);
117121

0 commit comments

Comments
 (0)