Fix bug if application does not specify audience (jpadilla#336)

djw8605 · jpadilla · commit 02374f4203c7 · 2018-03-15T11:29:53.000-04:00
* Fix bug if application does not specify audience

* Update changelog

* Fixing blank line

* Fixing error message with missing audience
diff --git a/AUTHORS b/AUTHORS
@@ -25,3 +25,5 @@ Patches and Suggestions
  - Michael Davis <mike.philip.davis@gmail.com> <mike.davis@workiva.com>
 
  - Vinod Gupta <codervinod@gmail.com>
+ 
+ - Derek Weitzel <djw8605@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed
 
+- Audience parameter throws `InvalidAudienceError` when application does not specify an audience, but the token does. [#336][336]
+
 ### Added
 
 [v1.6.0][1.6.0]
@@ -222,3 +224,4 @@ rarely used. Users affected by this should upgrade to 3.3+.
 [315]: https://github.com/jpadilla/pyjwt/pull/315
 [316]: https://github.com/jpadilla/pyjwt/pull/316
 [7c1e61d]: https://github.com/jpadilla/pyjwt/commit/7c1e61dde27bafe16e7d1bb6e35199e778962742
+[336]: https://github.com/jpadilla/pyjwt/pull/336
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -168,6 +168,11 @@ def _validate_aud(self, payload, audience):
             # verified since the token does not contain a claim.
             raise MissingRequiredClaimError('aud')
 
+        if audience is None and 'aud' in payload:
+            # Application did not specify an audience, but
+            # the token has the 'aud' claim
+            raise InvalidAudienceError('Invalid audience')
+
         audience_claims = payload['aud']
 
         if isinstance(audience_claims, string_types):
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -288,6 +288,15 @@ def test_check_audience_list_when_valid(self, jwt):
         token = jwt.encode(payload, 'secret')
         jwt.decode(token, 'secret', audience=['urn:you', 'urn:me'])
 
+    def test_check_audience_none_specified(self, jwt):
+        payload = {
+            'some': 'payload',
+            'aud': 'urn:me'
+        }
+        token = jwt.encode(payload, 'secret')
+        with pytest.raises(InvalidAudienceError):
+            jwt.decode(token, 'secret')
+
     def test_raise_exception_invalid_audience_list(self, jwt):
         payload = {
             'some': 'payload',
