Validate the aud claim of JwtAccessToken

timhallmann · timhallmann · commit c6700b9e3297 · 2025-03-04T14:07:01.000+01:00
diff --git a/src/simple_openid_connect/data.py b/src/simple_openid_connect/data.py
@@ -342,12 +342,13 @@ class JwtAccessToken(OpenidBaseModel):
     scope: Optional[str] = None
     "OPTIONAL. Scopes to which the token grants access. Multiple scopes are encoded space separated. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present."
 
-    def validate_extern(self, issuer: str) -> None:
+    def validate_extern(self, issuer: str, client_id: Union[str, None] = None) -> None:
         """
         Validate this access token with external data for consistency.
 
         :param issuer: The issuer that this token is supposed to originate from.
             Should usually be :data:`ProviderMetadata.issuer`.
+        :param client_id: The client id of this client
         """
         # validate issuer
         validate_that(
@@ -358,6 +359,23 @@ def validate_extern(self, issuer: str) -> None:
         # validate expiry
         validate_that(self.exp > time.time(), "The access token is expired")
 
+        # validate audience
+        if client_id:
+            validate_that(
+                self.aud is not None,
+                "The access token does not contain the required audience value",
+            )
+            if isinstance(self.aud, str):
+                validate_that(
+                    self.aud == client_id,
+                    "The access tokens audience does not contain own client_id",
+                )
+            elif isinstance(self.aud, list):
+                validate_that(
+                    client_id in self.aud,
+                    "The access tokens audience does not contain own client_id",
+                )
+
 
 class UserinfoRequest(OpenidBaseModel):
     """
