Add support for aud and iss claims, addresses jazzband#38

Author: ajhodges

README.rst

@@ -151,6 +151,8 @@ Some of Simple JWT's behavior can be customized through settings variables in
       'ALGORITHM': 'HS256',
       'SIGNING_KEY': settings.SECRET_KEY,
       'VERIFYING_KEY': None,
+      'AUDIENCE': None,
+      'ISSUER': None,
 
       'AUTH_HEADER_TYPES': ('Bearer',),
       'USER_ID_FIELD': 'id',
@@ -229,6 +231,16 @@ VERIFYING_KEY
   by the ``ALGORITHM`` setting, the ``VERIFYING_KEY`` setting must be set to a
   string which contains an RSA public key.
 
+AUDIENCE
+  The audience claim to be included in generated tokens and/or validated in
+  decoded tokens. When set to ``None``, this field is excluded from tokens and
+  is not validated.
+
+ISSUER
+  The issuer claim to be included in generated tokens and/or validated in
+  decoded tokens. When set to ``None``, this field is excluded from tokens and
+  is not validated.
+
 AUTH_HEADER_TYPES
   The authorization header type(s) that will be accepted for views that require
   authentication.  For example, a value of ``'Bearer'`` means that views

rest_framework_simplejwt/backends.py

@@ -16,12 +16,14 @@
 
 
 class TokenBackend:
-    def __init__(self, algorithm, signing_key=None, verifying_key=None):
+    def __init__(self, algorithm, signing_key=None, verifying_key=None, audience=None, issuer=None):
         if algorithm not in ALLOWED_ALGORITHMS:
             raise TokenBackendError(format_lazy(_("Unrecognized algorithm type '{}'"), algorithm))
 
         self.algorithm = algorithm
         self.signing_key = signing_key
+        self.audience = audience
+        self.issuer = issuer
         if algorithm.startswith('HS'):
             self.verifying_key = signing_key
         else:
@@ -31,6 +33,11 @@ def encode(self, payload):
         """
         Returns an encoded token for the given payload dictionary.
         """
+        if self.audience:
+            payload['aud'] = self.audience
+        if self.issuer:
+            payload['iss'] = self.issuer
+
         token = jwt.encode(payload, self.signing_key, algorithm=self.algorithm)
         return token.decode('utf-8')
 
@@ -43,6 +50,7 @@ def decode(self, token, verify=True):
         signature check fails, or if its 'exp' claim indicates it has expired.
         """
         try:
-            return jwt.decode(token, self.verifying_key, algorithms=[self.algorithm], verify=verify)
+            return jwt.decode(token, self.verifying_key, algorithms=[self.algorithm], verify=verify,
+                              audience=self.audience, issuer=self.issuer)
         except InvalidTokenError:
             raise TokenBackendError(_('Token is invalid or expired'))

rest_framework_simplejwt/settings.py

@@ -18,6 +18,8 @@
     'ALGORITHM': 'HS256',
     'SIGNING_KEY': settings.SECRET_KEY,
     'VERIFYING_KEY': None,
+    'AUDIENCE': None,
+    'ISSUER': None,
 
     'AUTH_HEADER_TYPES': ('Bearer',),
     'USER_ID_FIELD': 'id',

rest_framework_simplejwt/state.py

@@ -5,4 +5,4 @@
 
 User = get_user_model()
 token_backend = TokenBackend(api_settings.ALGORITHM, api_settings.SIGNING_KEY,
-                             api_settings.VERIFYING_KEY)
+                             api_settings.VERIFYING_KEY, api_settings.AUDIENCE, api_settings.ISSUER)

tests/test_backends.py

@@ -51,11 +51,16 @@
 -----END PUBLIC KEY-----
 '''
 
+AUDIENCE = 'openid-client-id'
+
+ISSUER = 'https://www.myoidcprovider.com'
+
 
 class TestTokenBackend(TestCase):
     def setUp(self):
         self.hmac_token_backend = TokenBackend('HS256', SECRET)
         self.rsa_token_backend = TokenBackend('RS256', PRIVATE_KEY, PUBLIC_KEY)
+        self.aud_iss_token_backend = TokenBackend('RS256', PRIVATE_KEY, PUBLIC_KEY, AUDIENCE, ISSUER)
         self.payload = {'foo': 'bar'}
 
     def test_init(self):
@@ -95,6 +100,20 @@ def test_encode_rsa(self):
             ),
         )
 
+    def test_encode_aud_iss(self):
+        # Should return a JSON web token for the given payload
+        payload = {'exp': make_utc(datetime(year=2000, month=1, day=1))}
+
+        rsa_token = self.aud_iss_token_backend.encode(payload)
+
+        # Token could be one of two depending on header dict ordering
+        self.assertIn(
+            rsa_token,
+            (
+                'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjk0NjY4NDgwMCwiYXVkIjoib3BlbmlkLWNsaWVudC1pZCIsImlzcyI6Imh0dHBzOi8vd3d3Lm15b2lkY3Byb3ZpZGVyLmNvbSJ9.kSz7KyUZgpKaeQHYSQlhsE-UFLG2zhBiJ2MFCIvhstA4lSIKj3U1fdP1OhEDg7X66EquRRIZrby6M7RncqCdsjRwKrEIaL74KgC4s5PDXa_HC6dtpi2GhXqaLz8YxfCPaNGZ_9q9rs4Z4O6WpwBLNmMQrTxNno9p0uT93Z2yKj5hGih8a9C_CSf_rKtsHW9AJShWGoKpR6qQFKVNP1GAwQOQ6IeEvZenq_LSEywnrfiWp4Y5UF7xi42wWx7_YPQtM9_Bp5sB-DbrKg_8t0zSc-OHeVDgH0TKqygGEea09W0QkmJcROkaEbxt2LxJg9OuSdXgudVytV8ewpgNtWNE4g'
+            ),
+        )
+
     def test_decode_hmac_with_no_expiry(self):
         no_exp_token = jwt.encode(self.payload, SECRET, algorithm='HS256')
 
@@ -208,3 +227,13 @@ def test_decode_rsa_success(self):
         token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8')
 
         self.assertEqual(self.rsa_token_backend.decode(token), self.payload)
+
+    def test_decode_aud_iss_success(self):
+        self.payload['exp'] = aware_utcnow() + timedelta(days=1)
+        self.payload['foo'] = 'baz'
+        self.payload['aud'] = AUDIENCE
+        self.payload['iss'] = ISSUER
+
+        token = jwt.encode(self.payload, PRIVATE_KEY, algorithm='RS256').decode('utf-8')
+
+        self.assertEqual(self.aud_iss_token_backend.decode(token), self.payload)