[IMP] allow several authorization types over aud after authentication

OCA · Jan 17, 2025 · 34e84af · 34e84af
1 parent 0068509
commit 34e84af
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "18.0.1.0.0",
+    "version": "18.0.1.1.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
@@ -65,7 +65,14 @@ class AuthJwtValidator(models.Model):
         default="RS256",
     )
     audience = fields.Char(
-        required=True, help="Comma separated list of audiences, to validate aud."
+        required=False, help="Comma separated list of audiences, to validate aud."
+    )
+    scopes = fields.Char(
+        required=False, help="Comma separated list of scopes, to validate scope."
+    )
+    groups = fields.Char(
+        required=False,
+        help="Comma separated list of groups, to validate group membership.",
     )
     issuer = fields.Char(required=True, help="To validate iss.")
     user_id_strategy = fields.Selection(
@@ -160,7 +167,7 @@ def _get_validator_by_name(self, validator_name):
 
     @tools.ormcache("self.public_key_jwk_uri", "kid")
     def _get_key(self, kid):
-        jwks_client = PyJWKClient(self.public_key_jwk_uri, cache_keys=False)
+        jwks_client = PyJWKClient(self.public_key_jwk_uri)
         return jwks_client.get_signing_key(kid).key
 
     def _encode(self, payload, secret, expire):
@@ -200,14 +207,29 @@ def _decode(self, token, secret=None):
                 key=key,
                 algorithms=[algorithm],
                 options=dict(
-                    require=["exp", "aud", "iss"],
+                    require=["exp", "iss"],
                     verify_exp=True,
-                    verify_aud=True,
                     verify_iss=True,
                 ),
-                audience=self.audience.split(","),
                 issuer=self.issuer,
             )
+            if len(self.audience) > 0:
+                if (payload.get("client_id") in (self.audience).split(",")) or (
+                    payload.get("aud") in self.audience.split(",")
+                ):
+                    return payload
+                else:
+                    raise UnauthorizedInvalidToken()
+            if len(self.scopes) > 0:
+                if payload.get("scope") in (self.scopes).split(","):
+                    return payload
+                else:
+                    raise UnauthorizedInvalidToken()
+            if len(self.groups) > 0:
+                if payload.get("group") in (self.groups).split(","):
+                    return payload
+                else:
+                    raise UnauthorizedInvalidToken()
         except Exception as e:
             _logger.info("Invalid token: %s", e)
             raise UnauthorizedInvalidToken() from e