fix aud validation (#63)

Co-authored-by: Roberto Falk <roberto.falk@sap.com>
SAP · Jul 18, 2023 · d90c9e0 · d90c9e0
1 parent 77c8216
commit d90c9e0
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 17 deletions.
diff --git a/.gitignore b/.gitignore
@@ -95,6 +95,7 @@ ENV/
 
 # IDE
 .vscode/
+.devcontainer/
 
 # local tests
 local_tests/

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,9 +5,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## 4.0.1
+### Fixed
+- Bug: fix `aud` validation for IAS tokens
+
 ## 4.0.0
 ### Removed
-- Removed suport for sap_py_jwt.
+- Removed suport for sap_py_jwt
 
 ## 3.3.0
 ### Added

diff --git a/Dockerfile b/Dockerfile
diff --git a/sap/xssec/jwt_audience_validator.py b/sap/xssec/jwt_audience_validator.py
@@ -46,7 +46,7 @@ def configure_trusted_clientId(self, client_id):
         if client_id:
             self.trusted_clientids.add(client_id)
 
-    def validate_token(self, clientId_from_token=None, audiences_from_token= [], scopes_from_token = []):
+    def validate_token(self, clientId_from_token=None, audiences_from_token=[], scopes_from_token=[]):
         self.is_foreign_mode = False
         allowed_audiences = self.extract_audiences_from_token(audiences_from_token, scopes_from_token, clientId_from_token)
         if (self.validate_same_clientId(clientId_from_token) == True or
@@ -57,7 +57,7 @@ def validate_token(self, clientId_from_token=None, audiences_from_token= [], sco
             return False
 
 
-    def extract_audiences_from_token(self, audiences_from_token= [], scopes_from_token= [], clientid_from_token=None):
+    def extract_audiences_from_token(self, audiences_from_token=[], scopes_from_token=[], clientid_from_token=None):
         '''
         Extracts Audience From Token
         '''

diff --git a/sap/xssec/security_context_ias.py b/sap/xssec/security_context_ias.py
@@ -62,7 +62,11 @@ def validate_audience(self):
         """
         check `aud` in jwt token
         """
-        validation_result = self.audience_validator.validate_token(audiences_from_token=self.token_payload["aud"])
+
+        # Make sure `aud` is a list
+        aud = [self.token_payload["aud"]] if isinstance(self.token_payload["aud"], str) else self.token_payload["aud"]
+
+        validation_result = self.audience_validator.validate_token(audiences_from_token=aud)
         if validation_result is False:
             raise RuntimeError('Audience Validation Failed')
         return self

diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-4.0.0
+4.0.1