[IMP] aud to configurable payload key includes test

dnplkndll · dnplkndll · commit 5da46e05792c · 2025-01-17T20:44:00.000-05:00
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "18.0.1.0.0",
+    "version": "18.0.1.1.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
@@ -64,8 +64,19 @@ class AuthJwtValidator(models.Model):
         ],
         default="RS256",
     )
+    audience_type = fields.Selection(
+        [
+            ("aud", "Audience"),
+            ("group", "Group"),
+            ("scope", "Scope"),
+            ("custom", "Custom"),
+        ],
+        required=True,
+        default="aud",
+    )
+    audience_type_custom = fields.Char(required=False, help="payload key to validate")
     audience = fields.Char(
-        required=True, help="Comma separated list of audiences, to validate aud."
+        required=True, help="Comma separated list of attribute needed."
     )
     issuer = fields.Char(required=True, help="To validate iss.")
     user_id_strategy = fields.Selection(
@@ -160,7 +171,7 @@ def _get_validator_by_name(self, validator_name):
 
     @tools.ormcache("self.public_key_jwk_uri", "kid")
     def _get_key(self, kid):
-        jwks_client = PyJWKClient(self.public_key_jwk_uri, cache_keys=False)
+        jwks_client = PyJWKClient(self.public_key_jwk_uri)
         return jwks_client.get_signing_key(kid).key
 
     def _encode(self, payload, secret, expire):
@@ -194,20 +205,30 @@ def _decode(self, token, secret=None):
                 raise UnauthorizedInvalidToken() from e
             key = self._get_key(header.get("kid"))
             algorithm = self.public_key_algorithm
+        aud = self.audience.split(",") if self.audience_type == "aud" else None
         try:
             payload = jwt.decode(
                 token,
                 key=key,
                 algorithms=[algorithm],
                 options=dict(
-                    require=["exp", "aud", "iss"],
+                    require=["exp", "iss"],
                     verify_exp=True,
-                    verify_aud=True,
                     verify_iss=True,
                 ),
-                audience=self.audience.split(","),
+                audience=aud,
                 issuer=self.issuer,
             )
+            payload_key = (
+                self.audience_type_custom
+                if self.audience_type == "custom"
+                else self.audience_type
+            )
+            if len((self.audience).split(",") or []) > 0:
+                for key_value in (self.audience).split(","):
+                    if key_value in (payload.get(payload_key)).split(" "):
+                        return payload
+                raise UnauthorizedInvalidToken()
         except Exception as e:
             _logger.info("Invalid token: %s", e)
             raise UnauthorizedInvalidToken() from e
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -12,8 +12,8 @@
                             <field name="next_validator_id" />
                         </group>
                         <group colspan="2" string="Token validation">
+                            <field name="audience_type" />
                             <field name="audience" />
-                            <field name="issuer" />
                             <field name="signature_type" />
                             <field
                                 name="secret_key"
