Fix: include received audience value in InvalidAudienceError message#1183
Fix: include received audience value in InvalidAudienceError message#1183pranavkumaarofficial wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves debuggability of JWT audience validation failures by expanding InvalidAudienceError messages to include both the token’s received aud value and the expected audience value(s), aligning with the request in #1099.
Changes:
- Enhance
_validate_auderror messages to include received/expected audience values across mismatch scenarios. - Add tests asserting the new error message content for string/list audiences and “unexpected audience present” when no audience was provided.
- Document the change under
[Unreleased] > FixedinCHANGELOG.rst.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
jwt/api_jwt.py |
Expands InvalidAudienceError messages to include token/expected audience values. |
tests/test_api_jwt.py |
Adds regression tests to ensure error messages contain the relevant audience values. |
CHANGELOG.rst |
Records the change in the Unreleased “Fixed” section with an issue link. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if isinstance(audience, str): | ||
| audience = [audience] | ||
|
|
||
| if all(aud not in audience_claims for aud in audience): | ||
| raise InvalidAudienceError("Audience doesn't match") | ||
| raise InvalidAudienceError( | ||
| f"Audience doesn't match:" | ||
| f" token has {audience_claims!r}," | ||
| f" expected {list(audience)!r}" | ||
| ) |
There was a problem hiding this comment.
Fixed in the latest commit -- audience is now materialized into a list before the all(...) check, so single-pass iterables won't produce an empty list in the error message.
| def test_invalid_audience_error_none_expected(self, jwt: PyJWT) -> None: | ||
| payload = {"some": "payload", "aud": "urn:someone"} | ||
| token = jwt.encode(payload, "secret") | ||
|
|
||
| with pytest.raises(InvalidAudienceError) as exc: | ||
| jwt.decode(token, "secret", algorithms=["HS256"]) | ||
|
|
||
| assert "urn:someone" in str(exc.value) | ||
|
|
There was a problem hiding this comment.
Added test_invalid_audience_error_strict_includes_values which covers the strict-mode mismatch path using options={"strict_aud": True}.
for more information, see https://pre-commit.ci
Summary
When JWT audience validation fails, the
InvalidAudienceErrormessage did notindicate what audience was actually received in the token or what was expected,
making debugging difficult in token misconfiguration scenarios.
This change includes the received and expected audience values in the error
message for the three mismatch cases (normal mode, strict mode, and unexpected
audience present).
Before:
jwt.exceptions.InvalidAudienceError: Audience doesn't match
After:
jwt.exceptions.InvalidAudienceError: Audience doesn't match: token has ['api.staging.example.com'], expected ['api.example.com']
Changes
jwt/api_jwt.py: Updated_validate_audto include received and expected audience values in error messagestests/test_api_jwt.py: Added 3 tests covering string audience, list audience, and unexpected audience scenariosCHANGELOG.rst: Added entry under[Unreleased] > FixedHow to test
pytest tests/test_api_jwt.py::TestJWT::test_invalid_audience_error_includes_values -v
pytest tests/test_api_jwt.py::TestJWT::test_invalid_audience_error_includes_values_list -v
pytest tests/test_api_jwt.py::TestJWT::test_invalid_audience_error_none_expected -v
Closes #1099