Add the ability to decode a JWT token without specifying an audience.

Adding this allows us to continue using this library to decode a JWT token with a secret (the way it used to be possible pre v9). Without this we cannot update to v9 and we are stuck in v8.3.
Keats · Oct 25, 2023 · 237974c · 237974c
1 parent 895079c
commit 237974c
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/src/validation.rs b/src/validation.rs
@@ -52,7 +52,13 @@ pub struct Validation {
     ///
     /// Defaults to `false`.
     pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is a member of the
+    /// Whether to validate the `aud` field.
+    ///
+    /// It will return an error if the `aud` field is not a member of the audience provided.
+    ///
+    /// Defaults to `true`. Very insecure to turn this off. Only do this if you know what you are doing.
+    pub validate_aud: bool,
+    /// Validation will check that the `aud` field is a member of the
     /// audience provided and will error otherwise.
     /// Use `set_audience` to set it
     ///
@@ -92,6 +98,7 @@ impl Validation {
 
             validate_exp: true,
             validate_nbf: false,
+            validate_aud: true,
 
             iss: None,
             sub: None,
@@ -262,6 +269,9 @@ pub(crate) fn validate(claims: ClaimsForValidation, options: &Validation) -> Res
         _ => {}
     }
 
+    if !options.validate_aud {
+        return Ok(());
+    }
     match (claims.aud, options.aud.as_ref()) {
         // Each principal intended to process the JWT MUST
         // identify itself with a value in the audience claim. If the principal
@@ -656,6 +666,18 @@ mod tests {
         };
     }
 
+    #[test]
+    fn aud_validation_skipped() {
+        let claims = json!({"aud": ["Everyone"]});
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = false;
+        validation.validate_aud = false;
+        validation.required_spec_claims = HashSet::new();
+        validation.aud = None;
+        let res = validate(deserialize_claims(&claims), &validation);
+        assert!(res.is_ok());
+    }
+
     #[test]
     fn aud_missing_fails() {
         let claims = json!({});