Fix bug if application does not specify audience (#336)

* Fix bug if application does not specify audience * Update changelog * Fixing blank line * Fixing error message with missing audience
jpadilla · Mar 15, 2018 · 02374f4 · 02374f4
1 parent 9d98078
commit 02374f4
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -25,3 +25,5 @@ Patches and Suggestions
  - Michael Davis <mike.philip.davis@gmail.com> <mike.davis@workiva.com>
 
  - Vinod Gupta <codervinod@gmail.com>
+
+ - Derek Weitzel <djw8605@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed
 
+- Audience parameter throws `InvalidAudienceError` when application does not specify an audience, but the token does. [#336][336]
+
 ### Added
 
 [v1.6.0][1.6.0]
@@ -222,3 +224,4 @@ rarely used. Users affected by this should upgrade to 3.3+.
 [315]: https://github.com/jpadilla/pyjwt/pull/315
 [316]: https://github.com/jpadilla/pyjwt/pull/316
 [7c1e61d]: https://github.com/jpadilla/pyjwt/commit/7c1e61dde27bafe16e7d1bb6e35199e778962742
+[336]: https://github.com/jpadilla/pyjwt/pull/336
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -168,6 +168,11 @@ def _validate_aud(self, payload, audience):
             # verified since the token does not contain a claim.
             raise MissingRequiredClaimError('aud')
 
+        if audience is None and 'aud' in payload:
+            # Application did not specify an audience, but
+            # the token has the 'aud' claim
+            raise InvalidAudienceError('Invalid audience')
+
         audience_claims = payload['aud']
 
         if isinstance(audience_claims, string_types):

diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -288,6 +288,15 @@ def test_check_audience_list_when_valid(self, jwt):
         token = jwt.encode(payload, 'secret')
         jwt.decode(token, 'secret', audience=['urn:you', 'urn:me'])
 
+    def test_check_audience_none_specified(self, jwt):
+        payload = {
+            'some': 'payload',
+            'aud': 'urn:me'
+        }
+        token = jwt.encode(payload, 'secret')
+        with pytest.raises(InvalidAudienceError):
+            jwt.decode(token, 'secret')
+
     def test_raise_exception_invalid_audience_list(self, jwt):
         payload = {
             'some': 'payload',
Original file line number	Diff line number	Diff line change
Expand Up		@@ -25,3 +25,5 @@ Patches and Suggestions
		- Michael Davis <mike.philip.davis@gmail.com> <mike.davis@workiva.com>

		- Vinod Gupta <codervinod@gmail.com>

		- Derek Weitzel <djw8605@gmail.com>