Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(backend): Propagate audience option to verifyToken #978

Closed
wants to merge 1 commit into from

Conversation

appden
Copy link

@appden appden commented Mar 24, 2023

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Packages affected

  • @clerk/clerk-js
  • @clerk/clerk-react
  • @clerk/nextjs
  • @clerk/remix
  • @clerk/types
  • @clerk/themes
  • @clerk/localizations
  • @clerk/clerk-expo
  • @clerk/backend
  • @clerk/clerk-sdk-node
  • @clerk/shared
  • @clerk/fastify
  • gatsby-plugin-clerk
  • build/tooling/chore

Description

  • npm test runs as expected.
  • npm run build runs as expected.

In rare circumstances, one may want to specify the audience to validate the token against since the aud claim may be specified in the session customization settings. Also, if the audience is not specified for verification, then the presence of the aud claim should not result in a failure.

In rare circumstances, one may want to specify the `audience` to validate the token against since the `aud` claim may be specified in the session customization settings. Also, if the `audience` is not specified for verification, then the presence of the `aud` claim should not result in a failure.
@jit-ci
Copy link

jit-ci bot commented Mar 24, 2023

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Great news! Jit hasn't found any security issues in your PR. Good Job! 🏆

@nikosdouvlis
Copy link
Member

Thanks for the contribution @appden :)
We'll take a look as soon as possible.

@dimkl
Copy link
Contributor

dimkl commented Mar 24, 2023

@appden Could you provide some information about your use case ?
Currently the JWT verification depends on authorizedParties and azp claim instead of aud.
Why do you need to pass a specific aud claim in the session customization settings and validate against it in the your server ?

@appden
Copy link
Author

appden commented Mar 24, 2023

Why do you need to pass a specific aud claim in the session customization settings and validate against it in the your server ?

My primary reason at the moment is I'm integrating with MongoDB Atlas, which requires an aud claim, and I'd much prefer to use the existing token instead of creating a JWT template and having to request a separate token when interacting with Atlas.

@dimkl
Copy link
Contributor

dimkl commented Mar 30, 2023

@appden i will close this PR and open a new one that will allow the audience: string | string[] to be passed as option to"@clerk/backend" from all the other clerk packages.
I will try to push this by the end of day.

@dimkl
Copy link
Contributor

dimkl commented Mar 30, 2023

Closing this in favour of : #1004

@dimkl dimkl closed this Mar 30, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants