feat: support jwt aud validation for hosted apps (#117)

* feat: add support jwt aud validation for hosted apps --------- Co-authored-by: Vanessa Burroughs <[email protected]>
passageidentity · Dec 10, 2024 · bcaaebe · bcaaebe
1 parent 34df698
commit bcaaebe
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/lib/passageidentity/auth.rb b/lib/passageidentity/auth.rb
@@ -82,18 +82,21 @@ def validate_jwt(token)
         )
       end
 
+      audiences = [@auth_origin, @app_id]
+
       claims =
         JWT.decode(
           token,
           nil,
           true,
           {
-            aud: @auth_origin,
+            aud: audiences,
             verify_aud: true,
             algorithms: ['RS256'],
             jwks: @jwks
           }
         )
+
       claims[0]['sub']
     rescue JWT::InvalidIssuerError, JWT::InvalidAudError, JWT::ExpiredSignature, JWT::IncorrectAlgorithm,
            JWT::DecodeError => e
@@ -237,11 +240,6 @@ def get_cache(key)
     def set_cache(key:, jwks:)
       @app_cache.write(key, jwks, expires_in: 86_400)
     end
-
-    def jwk_exists(token)
-      kid = JWT.decode(token, nil, false)[1]['kid']
-      @jwks['keys'].any? { |jwk| jwk['kid'] == kid }
-    end
     # rubocop:enable Metrics/AbcSize
 
     deprecate(:authenticate_request, :validate_jwt, 2025, 1)