Skip to content

Treat a missing aud claim as an empty list #3542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 31, 2025
Merged

Treat a missing aud claim as an empty list #3542

merged 8 commits into from
Oct 31, 2025

Conversation

@jsdt
Copy link
Contributor

@jsdt jsdt commented Oct 30, 2025
edited
Loading

Description of Changes

The aud claim is required in the OIDC spec, but the server currently allows it to be missing, and the spacetime auth tokens we use for the website don't have an audience.

Previously the module bindings would throw an error if there were no aud claim in a jwt payload (if someone used the audience within a reducer), but this change makes us treat a missing audience as an empty list.

This also renames the authCtx fields to senderAuth in the typescript and csharp module APIs, so they match rust.

API and ABI breaking changes

This doesn't break any ABIs.

This changes the ReducerContext APIs in typescript and rust, but only by renaming a field that hasn't been released yet.

Expected complexity level and risk

Testing

I've tested accessing the audience within a reducer for a token missing an aud claim in Typescript and Rust.

jdetter
jdetter approved these changes Oct 30, 2025
View reviewed changes
Copy link
Collaborator

@jdetter jdetter left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rust and C# changes look correct to me, I'm not as familiar with TypeScript but Jeff says that he has already tested it. Given this I'm fine to approve 👍

(I have not tested any of this myself)

@jsdt jsdt enabled auto-merge October 30, 2025 21:25
@jsdt jsdt disabled auto-merge October 30, 2025 21:32
@jsdt jsdt enabled auto-merge October 30, 2025 23:40
@jsdt jsdt mentioned this pull request Oct 30, 2025
Merged
cloutiertyler
cloutiertyler approved these changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@cloutiertyler cloutiertyler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes look good to me.

@jsdt jsdt mentioned this pull request Oct 31, 2025
Closed
@jsdt jsdt added this pull request to the merge queue Oct 31, 2025
Merged via the queue into master with commit 9586136 Oct 31, 2025
24 of 25 checks passed
github-merge-queue bot pushed a commit that referenced this pull request Oct 31, 2025
@jsdt @jdetter @cloutiertyler
Add docs for using Auth claims within modules (#3545)
088660d 
# Description of Changes

This adds some code samples for using auth claims in Rust, Typescript,
and C#.

Much of this was originally in
#3218.

# API and ABI breaking changes

<!-- If this is an API or ABI breaking change, please apply the
corresponding GitHub label. -->

# Expected complexity level and risk

1: this is a docs-only change.

# Testing

I've tested these code samples locally (with the changes in
#3542).

---------

Signed-off-by: Jeffrey Dallatezza <jeffreydallatezza@gmail.com>
Co-authored-by: John Detter <4099508+jdetter@users.noreply.github.com>
Co-authored-by: Tyler Cloutier <cloutiertyler@users.noreply.github.com>
@jsdt jsdt deleted the jsdt/handle-missing-aud branch October 31, 2025 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdetter jdetter jdetter approved these changes

@cloutiertyler cloutiertyler cloutiertyler approved these changes

Assignees

No one assigned

Labels

release-1.7

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jsdt @jdetter @cloutiertyler @bfops