Skip to content

change: Make jwt-aud config value a regular expression #4397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

change: Make jwt-aud config value a regular expression #4397

wants to merge 2 commits into from
+93 −45

Conversation

mkleczek
Copy link
Contributor

@mkleczek mkleczek commented Oct 12, 2025
edited
Loading

This change adds flexibility to aud claim validation. jwt-aud configuration property can now be specified as a regular expression. For example, it is now possible to

  • configure multiple acceptable aud values with '|' regex operator, eg: 'audience1|audience2|audience3'
  • accept any audience from a particular domain, eg: 'https://[a-z0-9]*.example.com'

Resolves #2099

  • Update documentation
  • Update changelog

@mkleczek mkleczek force-pushed the aud-regex branch 2 times, most recently from ea4b9f1 to 2895007 Compare October 13, 2025 04:09
@mkleczek mkleczek changed the title feat: Make jwt-aud config value a regular expression change: Make jwt-aud config value a regular expression Oct 13, 2025
@mkleczek mkleczek marked this pull request as ready for review October 13, 2025 04:22
@mkleczek mkleczek force-pushed the aud-regex branch 3 times, most recently from 43c8f07 to 153080a Compare October 13, 2025 12:03
@taimoorzaeem taimoorzaeem added the breaking change A bug fix or enhancement that would cause a breaking change label Oct 13, 2025
@mkleczek mkleczek marked this pull request as draft October 21, 2025 04:25
@mkleczek mkleczek mentioned this pull request Oct 21, 2025
Merged
@steve-chavez
Copy link
Member

@mkleczek Could you add a summary of the PR? From reading the issues I'm not sure what's the final design here. This would make it easier to review.

Also, is the breaking change avoidable by changing the default configuration?

@mkleczek
fix: Validate aud is a valid URI even if jwt-aud is not configured
60c8a98 
* Introduced StringOrURI newtype and its validating FromJSON implementation in Auth.JWT
* Changed JwtError constructor AudClaimNotStringOrArray to AudClaimNotStringOrURIOrArray and modified error message for it
* Added test in AuthSpec
* Modified tests to verify new error message

Left validation of URI in jwt-aud as is.
@mkleczek
change: Make jwt-aud config value a regular expression
4276f55 
This change adds flexibility to aud claim validation. jwt-aud configuration property can now be specified as a regular expression. For example, it is now possible to
* configure multiple acceptable aud values with '|' regex operator, eg: 'audience1|audience2|audience3'
* accept any audience from a particular domain, eg: 'https://[a-z0-9]*\.example\.com'
@mkleczek
Copy link
Contributor Author

@mkleczek Could you add a summary of the PR? From reading the issues I'm not sure what's the final design here. This would make it easier to review.

Done.

Also, is the breaking change avoidable by changing the default configuration?

Yes.

I've decided to set default jwt-aud to .* (accept anything) for now. That means the change no longer addresses #4134 but is not breaking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

breaking change A bug fix or enhancement that would cause a breaking change

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allowing multiple aud values in jwt-aud configuration

3 participants

@mkleczek @steve-chavez @taimoorzaeem