From d0013bfc0e9e790505f16283032249c7e8c9ceeb Mon Sep 17 00:00:00 2001
From: Don Kendall <kendall@donkendall.com>
Date: Fri, 17 Jan 2025 15:25:29 -0500
Subject: [PATCH] fix: handle local and remote sets

---
 auth_jwt/models/auth_jwt_validator.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 84b2247fef..26d78cd50e 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -221,15 +221,16 @@ def _decode(self, token, secret=None):
                     else:
                         raise UnauthorizedInvalidToken()
                 if self.audience_type == "scope":
-                    if payload.get("scope") in (self.audience).split(","):
-                        return payload
-                    else:
-                        raise UnauthorizedInvalidToken()
+                    for scope_const in (self.audience).split(","):
+                        if scope_const in (payload.get("scope")).split(" "):
+                            return payload
+                        else:
+                            raise UnauthorizedInvalidToken()
                 if self.audience_type == "group":
-                    if payload.get("group") in (self.audience).split(","):
-                        return payload
-                    else:
-                        raise UnauthorizedInvalidToken()
+                    for group_const in (self.audience).split(","):
+                        if group_const in payload.get("cognito:groups"):
+                            return payload
+                    raise UnauthorizedInvalidToken()
         except Exception as e:
             _logger.info("Invalid token: %s", e)
             raise UnauthorizedInvalidToken() from e