Validate the aud claim of JwtAccessToken

[timhallmann]

No description provided.

[timhallmann]

Wait a second... aud is still optional, meaning client_id="example_client" and aud=None validates successfully. Even if the issuer is already validated, that shouldn't happen.

[lilioid]

Is there a reason why you implemented client_id as an optional parameter?

The aud description says the following after all:

Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the 'aud' claim when this claim is present, then the JWT MUST be rejected.

Which I would interpret to mean that a client_id must always be given and must match (with the exception that it can be ignored if no aud claim is present in the token)

[timhallmann]

There is a reason, and I should have added a comment: I wanted to keep it backwards compatible. By itself, it doesn't seem important enough to break the interface.

Though... what is your policy regarding breaking changes?

[lilioid]

There is a reason, and I should have added a comment: I wanted to keep it backwards compatible.

That's kind of what I thought ^^

Though... what is your policy regarding breaking changes?

I am pretty much of the opinion that you shouldn't be scared of increasing major versions. If something breaks the interface, the version goes up.
I'd rather have a correct implementation than a backlog of we'll have to remember to change this when eventually we do bump the major version stuff.

So I'd say make the attribute mandatory and then I'll bump the version.

[timhallmann]

Sounds good to me, let's do that. :)