fix: handle local and remote sets

auth_jwt/models/auth_jwt_validator.py

@@ -221,15 +221,16 @@ def _decode(self, token, secret=None):
                     else:
                         raise UnauthorizedInvalidToken()
                 if self.audience_type == "scope":
-                    if payload.get("scope") in (self.audience).split(","):
-                        return payload
-                    else:
-                        raise UnauthorizedInvalidToken()
+                    for scope_const in (self.audience).split(","):
+                        if scope_const in (payload.get("scope")).split(" "):
+                            return payload
+                        else:
+                            raise UnauthorizedInvalidToken()
                 if self.audience_type == "group":
-                    if payload.get("group") in (self.audience).split(","):
-                        return payload
-                    else:
-                        raise UnauthorizedInvalidToken()
+                    for group_const in (self.audience).split(","):
+                        if group_const in payload.get("cognito:groups"):
+                            return payload
+                    raise UnauthorizedInvalidToken()
         except Exception as e:
             _logger.info("Invalid token: %s", e)
             raise UnauthorizedInvalidToken() from e