fix: Allow multiple audiences for id_token.verify_token (#733)
* feat: Allow multiple audiences for id_token.verify_token (#732)
* running black
Co-authored-by: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
diff --git a/google/auth/jwt.py b/google/auth/jwt.py
index 8165dda..892f3a8 100644
--- a/google/auth/jwt.py
+++ b/google/auth/jwt.py
@@ -219,8 +219,9 @@
in the token's header.
verify (bool): Whether to perform signature and claim validation.
Verification is done by default.
- audience (str): The audience claim, 'aud', that this JWT should
- contain. If None then the JWT's 'aud' parameter is not verified.
+ audience (str or list): The audience claim, 'aud', that this JWT should
+ contain. Or a list of audience claims. If None then the JWT's 'aud'
+ parameter is not verified.
Returns:
Mapping[str, str]: The deserialized JSON payload in the JWT.
@@ -279,9 +280,11 @@
# Check audience.
if audience is not None:
claim_audience = payload.get("aud")
- if audience != claim_audience:
+ if isinstance(audience, str):
+ audience = [audience]
+ if claim_audience not in audience:
raise ValueError(
- "Token has wrong audience {}, expected {}".format(
+ "Token has wrong audience {}, expected one of {}".format(
claim_audience, audience
)
)