diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py index 8a311e5bdf..1acd7340a6 100644 --- a/auth_jwt/__manifest__.py +++ b/auth_jwt/__manifest__.py @@ -5,7 +5,7 @@ "name": "Auth JWT", "summary": """ JWT bearer token authentication.""", - "version": "18.0.1.0.0", + "version": "18.0.1.1.0", "license": "LGPL-3", "author": "ACSONE SA/NV,Odoo Community Association (OCA)", "maintainers": ["sbidoul"], diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py index 13649adad2..2618b72cd0 100644 --- a/auth_jwt/models/auth_jwt_validator.py +++ b/auth_jwt/models/auth_jwt_validator.py @@ -65,7 +65,14 @@ class AuthJwtValidator(models.Model): default="RS256", ) audience = fields.Char( - required=True, help="Comma separated list of audiences, to validate aud." + required=False, help="Comma separated list of audiences, to validate aud." + ) + scopes = fields.Char( + required=False, help="Comma separated list of scopes, to validate scope." + ) + groups = fields.Char( + required=False, + help="Comma separated list of groups, to validate group membership.", ) issuer = fields.Char(required=True, help="To validate iss.") user_id_strategy = fields.Selection( @@ -160,7 +167,7 @@ def _get_validator_by_name(self, validator_name): @tools.ormcache("self.public_key_jwk_uri", "kid") def _get_key(self, kid): - jwks_client = PyJWKClient(self.public_key_jwk_uri, cache_keys=False) + jwks_client = PyJWKClient(self.public_key_jwk_uri) return jwks_client.get_signing_key(kid).key def _encode(self, payload, secret, expire): @@ -200,14 +207,29 @@ def _decode(self, token, secret=None): key=key, algorithms=[algorithm], options=dict( - require=["exp", "aud", "iss"], + require=["exp", "iss"], verify_exp=True, - verify_aud=True, verify_iss=True, ), - audience=self.audience.split(","), issuer=self.issuer, ) + if len(self.audience) > 0: + if (payload.get("client_id") in (self.audience).split(",")) or ( + payload.get("aud") in self.audience.split(",") + ): + return payload + else: + raise UnauthorizedInvalidToken() + if len(self.scopes) > 0: + if payload.get("scope") in (self.scopes).split(","): + return payload + else: + raise UnauthorizedInvalidToken() + if len(self.groups) > 0: + if payload.get("group") in (self.groups).split(","): + return payload + else: + raise UnauthorizedInvalidToken() except Exception as e: _logger.info("Invalid token: %s", e) raise UnauthorizedInvalidToken() from e diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml index 8aac0f500f..1bba933218 100644 --- a/auth_jwt/views/auth_jwt_validator_views.xml +++ b/auth_jwt/views/auth_jwt_validator_views.xml @@ -13,6 +13,8 @@ + +