Add the ability to decode a JWT token without specifying an audience. (#336)

sagunb · web-flow · commit f112c08729ad · 2023-11-07T12:28:16.000+01:00
Adding this allows us to continue using this library to decode a JWT
token with a secret (the way it used to be possible pre v9).

Without this we cannot update to v9 and we are stuck in v8.3.

Co-authored-by: sagunb &lt;sagunb@users.noreply.github.com&gt;
diff --git a/src/validation.rs b/src/validation.rs
@@ -51,7 +51,13 @@ pub struct Validation {
     ///
     /// Defaults to `false`.
     pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is a member of the
+    /// Whether to validate the `aud` field.
+    ///
+    /// It will return an error if the `aud` field is not a member of the audience provided.
+    ///
+    /// Defaults to `true`. Very insecure to turn this off. Only do this if you know what you are doing.
+    pub validate_aud: bool,
+    /// Validation will check that the `aud` field is a member of the
     /// audience provided and will error otherwise.
     /// Use `set_audience` to set it
     ///
@@ -91,6 +97,7 @@ impl Validation {
 
             validate_exp: true,
             validate_nbf: false,
+            validate_aud: true,
 
             iss: None,
             sub: None,
@@ -270,6 +277,9 @@ pub(crate) fn validate(claims: ClaimsForValidation, options: &Validation) -> Res
         _ => {}
     }
 
+    if !options.validate_aud {
+        return Ok(());
+    }
     match (claims.aud, options.aud.as_ref()) {
         // Each principal intended to process the JWT MUST
         // identify itself with a value in the audience claim. If the principal
@@ -664,6 +674,18 @@ mod tests {
         };
     }
 
+    #[test]
+    fn aud_validation_skipped() {
+        let claims = json!({"aud": ["Everyone"]});
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = false;
+        validation.validate_aud = false;
+        validation.required_spec_claims = HashSet::new();
+        validation.aud = None;
+        let res = validate(deserialize_claims(&claims), &validation);
+        assert!(res.is_ok());
+    }
+
     #[test]
     fn aud_missing_fails() {
         let claims = json!({});
