Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(backend): Propagate audience option to verifyToken #978

Closed
wants to merge 1 commit into from
Closed

feat(backend): Propagate audience option to verifyToken #978

wants to merge 1 commit into from

Conversation

appden
Copy link

@appden appden commented Mar 24, 2023

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Packages affected

  • @clerk/clerk-js
  • @clerk/clerk-react
  • @clerk/nextjs
  • @clerk/remix
  • @clerk/types
  • @clerk/themes
  • @clerk/localizations
  • @clerk/clerk-expo
  • @clerk/backend
  • @clerk/clerk-sdk-node
  • @clerk/shared
  • @clerk/fastify
  • gatsby-plugin-clerk
  • build/tooling/chore

Description

  • npm test runs as expected.
  • npm run build runs as expected.

In rare circumstances, one may want to specify the audience to validate the token against since the aud claim may be specified in the session customization settings. Also, if the audience is not specified for verification, then the presence of the aud claim should not result in a failure.

@appden
feat(backend): Propagate audience option to verifyToken
59596c1 
In rare circumstances, one may want to specify the `audience` to validate the token against since the `aud` claim may be specified in the session customization settings. Also, if the `audience` is not specified for verification, then the presence of the `aud` claim should not result in a failure.
@jit-ci
Copy link

jit-ci bot commented Mar 24, 2023

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

jit-ci[bot]
jit-ci bot reviewed Mar 24, 2023
View reviewed changes
Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Great news! Jit hasn't found any security issues in your PR. Good Job! 🏆

@nikosdouvlis
Copy link
Member

Thanks for the contribution @appden :)
We'll take a look as soon as possible.

@dimkl
Copy link
Contributor

dimkl commented Mar 24, 2023

@appden Could you provide some information about your use case ?
Currently the JWT verification depends on authorizedParties and azp claim instead of aud.
Why do you need to pass a specific aud claim in the session customization settings and validate against it in the your server ?

@appden
Copy link
Author

appden commented Mar 24, 2023
edited
Loading

Why do you need to pass a specific aud claim in the session customization settings and validate against it in the your server ?

My primary reason at the moment is I'm integrating with MongoDB Atlas, which requires an aud claim, and I'd much prefer to use the existing token instead of creating a JWT template and having to request a separate token when interacting with Atlas.

@dimkl
Copy link
Contributor

dimkl commented Mar 30, 2023

@appden i will close this PR and open a new one that will allow the audience: string | string[] to be passed as option to"@clerk/backend" from all the other clerk packages.
I will try to push this by the end of day.

@dimkl
Copy link
Contributor

dimkl commented Mar 30, 2023
edited
Loading

Closing this in favour of : #1004

@dimkl dimkl closed this Mar 30, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jit-ci jit-ci[bot] jit-ci[bot] left review comments

@SokratisVidros SokratisVidros Awaiting requested review from SokratisVidros

@nikosdouvlis nikosdouvlis Awaiting requested review from nikosdouvlis

@dimkl dimkl Awaiting requested review from dimkl

@chanioxaris chanioxaris Awaiting requested review from chanioxaris

Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@appden @nikosdouvlis @dimkl