Skip to content

Accept the issuer URL as a valid audience#865

Merged
lepture merged 2 commits intoauthlib:mainfrom
azmeuk:730-rfc7523-aud
Mar 16, 2026
Merged

Accept the issuer URL as a valid audience#865
lepture merged 2 commits intoauthlib:mainfrom
azmeuk:730-rfc7523-aud

Conversation

@azmeuk
Copy link
Copy Markdown
Member

@azmeuk azmeuk commented Feb 27, 2026

What kind of change does this PR introduce?

Per RFC 7523 Section 3 and draft-ietf-oauth-rfc7523bis, the AS issuer identifier should be a valid audience value alongside the token endpoint URL.

JWTBearerGrant was not checking the audience value at all. A get_audiences method is introduced to let developers indicate the valid audiences. I guess someday when #260 is implemented, we could guess the token urls and issuer and build this dynamically.
JWTBearerClientAssertion was checking that the audience value was the token url, but now it also accepts the issuer.

Does this PR introduce a breaking change?

No

Checklist

  • The commits follow the conventional commits specification.
  • You ran the linters with prek.
  • You wrote unit test to demonstrate the bug you are fixing, or to stress the feature you are bringing.
  • You reached 100% of code coverage on the code you edited, without abusive use of pragma: no cover
  • If this PR is about a new feature, or a behavior change, you have updated the documentation accordingly.
  • You consent that the copyright of your pull request source code belongs to Authlib's author.

@azmeuk azmeuk added role:authorization_server Concerns a server implementation spec:rfc7523 JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants labels Feb 27, 2026
@azmeuk azmeuk requested a review from lepture February 27, 2026 08:57
@azmeuk azmeuk linked an issue Feb 27, 2026 that may be closed by this pull request
RFC7523 - The AS iss value should be a valid aud in client JWT authentication #730
Closed
lepture
lepture reviewed Mar 1, 2026
View reviewed changes
Comment thread authlib/oauth2/rfc7523/client.py Outdated
# token endpoint URL and the AS issuer identifier are valid audiences.
aud_values = [self.token_url]
if self.issuer:
aud_values.append(self.issuer)
Copy link
Copy Markdown
Member

@lepture lepture Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about we define a get_audiences method instead of adding a issuer parameter?

Copy link
Copy Markdown

@markhobson markhobson Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would also allow the server to disallow the token endpoint as an audience.

Copy link
Copy Markdown
Member Author

@azmeuk azmeuk Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented get_audiences and added deprecation warnings so the get_audiences methods must be implemented for Authlib 1.8.

@azmeuk azmeuk force-pushed the 730-rfc7523-aud branch from 173766a to 90948b1 Compare March 3, 2026 16:18
azmeuk added 2 commits March 10, 2026 08:28
@azmeuk
fix: accept the issuer URL as a valid audience
d0897b6 
Per RFC 7523 Section 3 and draft-ietf-oauth-rfc7523bis, the AS issuer
identifier should be a valid audience value alongside the token endpoint
URL.
@azmeuk
refactor: use JWTClientAuth get_audiences to define the acceptable au…
9a3c477 
…diences
@azmeuk azmeuk requested a review from lepture March 10, 2026 07:29
@lepture lepture merged commit 68e6ab3 into authlib:main Mar 16, 2026
7 checks passed
@azmeuk azmeuk deleted the 730-rfc7523-aud branch March 16, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lepture lepture lepture approved these changes

+1 more reviewer

@markhobson markhobson markhobson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

role:authorization_server Concerns a server implementation spec:rfc7523 JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

RFC7523 - The AS iss value should be a valid aud in client JWT authentication

3 participants

@azmeuk @markhobson @lepture