Add and document iss and aud configuration options

Author: Landon Gilbert-Bland

docs/options.rst

@@ -110,8 +110,28 @@ General Options:
 
 .. py:data:: JWT_DECODE_AUDIENCE
 
-    The expected audience (``aud``) or list of audiences you expect in a JWT when
-    decoding it.
+    The string or list of audiences (``aud``) expected in a JWT when decoding it.
+
+    Default: ``None``
+
+
+.. py:data:: JWT_ENCODE_AUDIENCE
+
+    The string or list of audiences (``aud``) for created JWTs.
+
+    Default: ``None``
+
+
+.. py:data:: JWT_DECODE_ISSUER
+
+    The issuer (``iss``) you expect in a JWT when decoding it.
+
+    Default: ``None``
+
+
+.. py:data:: JWT_ENCODE_ISSUER
+
+    The issuer (``iss``) for created JWTs.
 
     Default: ``None``
 

flask_jwt_extended/config.py

@@ -272,9 +272,13 @@ def json_encoder(self):
         return current_app.json_encoder
 
     @property
-    def audience(self):
+    def decode_audience(self):
         return current_app.config["JWT_DECODE_AUDIENCE"]
 
+    @property
+    def encode_audience(self):
+        return current_app.config["JWT_ENCODE_AUDIENCE"]
+
     @property
     def encode_issuer(self):
         return current_app.config["JWT_ENCODE_ISSUER"]

flask_jwt_extended/jwt_manager.py

@@ -6,6 +6,7 @@
 from jwt import InvalidAudienceError
 from jwt import InvalidIssuerError
 from jwt import InvalidTokenError
+from jwt import MissingRequiredClaimError
 
 from flask_jwt_extended.config import config
 from flask_jwt_extended.default_callbacks import default_additional_claims_callback
@@ -113,6 +114,10 @@ def handle_expired_error(e):
         def handle_fresh_token_required(e):
             return self._needs_fresh_token_callback(e.jwt_header, e.jwt_data)
 
+        @app.errorhandler(MissingRequiredClaimError)
+        def handle_missing_required_claim_error(e):
+            return self._invalid_token_callback(str(e))
+
         @app.errorhandler(InvalidAudienceError)
         def handle_invalid_audience_error(e):
             return self._invalid_token_callback(str(e))
@@ -176,6 +181,7 @@ def _set_default_configuration_options(app):
         app.config.setdefault("JWT_DECODE_AUDIENCE", None)
         app.config.setdefault("JWT_DECODE_ISSUER", None)
         app.config.setdefault("JWT_DECODE_LEEWAY", 0)
+        app.config.setdefault("JWT_ENCODE_AUDIENCE", None)
         app.config.setdefault("JWT_ENCODE_ISSUER", None)
         app.config.setdefault("JWT_ERROR_MESSAGE_KEY", "msg")
         app.config.setdefault("JWT_HEADER_NAME", "Authorization")
@@ -481,6 +487,7 @@ def _encode_jwt_from_config(
 
         return _encode_jwt(
             algorithm=config.algorithm,
+            audience=config.encode_audience,
             claim_overrides=claim_overrides,
             csrf=config.csrf_protect,
             expires_delta=expires_delta,
@@ -507,14 +514,14 @@ def _decode_jwt_from_config(
 
         kwargs = {
             "algorithms": config.decode_algorithms,
-            "audience": config.audience,
+            "audience": config.decode_audience,
             "csrf_value": csrf_value,
             "encoded_token": encoded_token,
             "identity_claim_key": config.identity_claim_key,
             "issuer": config.decode_issuer,
             "leeway": config.leeway,
             "secret": secret,
-            "verify_aud": config.audience is not None,
+            "verify_aud": config.decode_audience is not None,
         }
 
         try:

flask_jwt_extended/tokens.py

@@ -12,6 +12,7 @@
 
 def _encode_jwt(
     algorithm,
+    audience,
     claim_overrides,
     csrf,
     expires_delta,
@@ -41,6 +42,9 @@ def _encode_jwt(
     if csrf:
         token_data["csrf"] = str(uuid.uuid4())
 
+    if audience:
+        token_data["aud"] = audience
+
     if issuer:
         token_data["iss"] = issuer
 

tests/test_decode_tokens.py

@@ -11,6 +11,7 @@
 from jwt import InvalidAudienceError
 from jwt import InvalidIssuerError
 from jwt import InvalidSignatureError
+from jwt import MissingRequiredClaimError
 
 from flask_jwt_extended import create_access_token
 from flask_jwt_extended import create_refresh_token
@@ -78,6 +79,47 @@ def test_bad_token_type(app, default_access_token):
             decode_token(bad_type_token)
 
 
+def test_encode_decode_audience(app):
+    # Default, no audience
+    with app.test_request_context():
+        encoded_token = create_access_token("username")
+        decoded_token = decode_token(encoded_token)
+        with pytest.raises(KeyError):
+            decoded_token["aud"]
+
+    # Encode and decode audience configured
+    app.config["JWT_ENCODE_AUDIENCE"] = "foo"
+    app.config["JWT_DECODE_AUDIENCE"] = "foo"
+    with app.test_request_context():
+        encoded_token = create_access_token("username")
+        decoded_token = decode_token(encoded_token)
+        assert decoded_token["aud"] == "foo"
+
+    # Encode and decode mismatch
+    app.config["JWT_ENCODE_AUDIENCE"] = "foo"
+    app.config["JWT_DECODE_AUDIENCE"] = "bar"
+    with app.test_request_context():
+        encoded_token = create_access_token("username")
+        with pytest.raises(InvalidAudienceError):
+            decode_token(encoded_token)
+
+    # No encode defined
+    app.config["JWT_ENCODE_AUDIENCE"] = None
+    app.config["JWT_DECODE_AUDIENCE"] = "foo"
+    with app.test_request_context():
+        encoded_token = create_access_token("username")
+        with pytest.raises(MissingRequiredClaimError):
+            decode_token(encoded_token)
+
+    # No decode defined
+    app.config["JWT_ENCODE_AUDIENCE"] = "foo"
+    app.config["JWT_DECODE_AUDIENCE"] = None
+    with app.test_request_context():
+        encoded_token = create_access_token("username")
+        decoded_token = decode_token(encoded_token)
+        assert decoded_token["aud"] == "foo"
+
+
 @pytest.mark.parametrize("delta_func", [timedelta, relativedelta])
 def test_expired_token(app, delta_func):
     with app.test_request_context():