From f112c08729ad383e8cf3b8dd7e98d40f0eecd4af Mon Sep 17 00:00:00 2001
From: Sagun B <5015564+sagunb@users.noreply.github.com>
Date: Tue, 7 Nov 2023 03:28:16 -0800
Subject: [PATCH] Add the ability to decode a JWT token without specifying an
 audience. (#336)

Adding this allows us to continue using this library to decode a JWT
token with a secret (the way it used to be possible pre v9).

Without this we cannot update to v9 and we are stuck in v8.3.

Co-authored-by: sagunb <sagunb@users.noreply.github.com>
---
 src/validation.rs | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/validation.rs b/src/validation.rs
index 3fd8c725..eea6eafb 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -51,7 +51,13 @@ pub struct Validation {
     ///
     /// Defaults to `false`.
     pub validate_nbf: bool,
-    /// If it contains a value, the validation will check that the `aud` field is a member of the
+    /// Whether to validate the `aud` field.
+    ///
+    /// It will return an error if the `aud` field is not a member of the audience provided.
+    ///
+    /// Defaults to `true`. Very insecure to turn this off. Only do this if you know what you are doing.
+    pub validate_aud: bool,
+    /// Validation will check that the `aud` field is a member of the
     /// audience provided and will error otherwise.
     /// Use `set_audience` to set it
     ///
@@ -91,6 +97,7 @@ impl Validation {
 
             validate_exp: true,
             validate_nbf: false,
+            validate_aud: true,
 
             iss: None,
             sub: None,
@@ -270,6 +277,9 @@ pub(crate) fn validate(claims: ClaimsForValidation, options: &Validation) -> Res
         _ => {}
     }
 
+    if !options.validate_aud {
+        return Ok(());
+    }
     match (claims.aud, options.aud.as_ref()) {
         // Each principal intended to process the JWT MUST
         // identify itself with a value in the audience claim. If the principal
@@ -664,6 +674,18 @@ mod tests {
         };
     }
 
+    #[test]
+    fn aud_validation_skipped() {
+        let claims = json!({"aud": ["Everyone"]});
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.validate_exp = false;
+        validation.validate_aud = false;
+        validation.required_spec_claims = HashSet::new();
+        validation.aud = None;
+        let res = validate(deserialize_claims(&claims), &validation);
+        assert!(res.is_ok());
+    }
+
     #[test]
     fn aud_missing_fails() {
         let claims = json!({});