Make token validation compatible with AccessToken where "aud" claim is not provided

src/django_cognito_jwt/validator.py

@@ -57,14 +57,20 @@ def validate(self, token):
         if not public_key:
             raise TokenError("No key found for this token")
 
+        params = {
+            "jwt": token,
+            "key": public_key,
+            "issuer": self.pool_url,
+            "algorithms": ["RS256"]
+        }
+
+        # include audience validation if "aud" claim is provided in token payload
+        token_payload = jwt.decode(token, verify=False)
+        if "aud" in token_payload:
+            params.update({"audience": self.audience})
+
         try:
-            jwt_data = jwt.decode(
-                token,
-                public_key,
-                audience=self.audience,
-                issuer=self.pool_url,
-                algorithms=["RS256"],
-            )
+            jwt_data = jwt.decode(**params)
         except (jwt.InvalidTokenError, jwt.ExpiredSignature, jwt.DecodeError) as exc:
             raise TokenError(str(exc))
         return jwt_data

tests/test_validator.py

@@ -46,6 +46,19 @@ def test_validate_token_error_aud(cognito_well_known_keys, jwk_private_key_one):
         auth.validate(token)
 
 
+def test_validate_token_missing_aud(cognito_well_known_keys, jwk_private_key_one):
+    token = create_jwt_token(
+        jwk_private_key_one,
+        {
+            "iss": "https://cognito-idp.eu-central-1.amazonaws.com/bla",
+            # missing aud
+            "sub": "username",
+        },
+    )
+    auth = validator.TokenValidator("eu-central-1", "bla", "my-audience")
+    auth.validate(token)
+
+
 @pytest.mark.parametrize(
     "is_cache_enabled,responses_calls", [(None, 2), (False, 2), (True, 1)]
 )