fix(aud): Update remaining validate_jwt calls

* Most updates are to rm aud argument and use the default value

fence/blueprints/login/fence_login.py

@@ -78,7 +78,7 @@ def get(self):
             redirect_uri, **flask.request.args.to_dict()
         )
         id_token_claims = validate_jwt(
-            tokens["id_token"], aud="openid", purpose="id", attempt_refresh=True
+            tokens["id_token"], scope="openid", purpose="id", attempt_refresh=True
         )
         username = id_token_claims["context"]["user"]["name"]
         login_user(flask.request, username, IdentityProvider.fence)

fence/resources/storage/cdis_jwt.py

@@ -10,8 +10,8 @@
 
 def create_access_token(user, keypair, api_key, expires_in, scopes):
     try:
-        claims = validate_jwt(api_key, aud=scopes, purpose="api_key")
-        if not set(claims["aud"]).issuperset(scopes):
+        claims = validate_jwt(api_key, scope=scopes, purpose="api_key")
+        if not set(claims["scope"]).issuperset(scopes):
             raise JWTError("cannot issue access token with scope beyond refresh token")
     except Exception as e:
         return flask.jsonify({"errors": str(e)})

fence/resources/user/user_session.py

@@ -50,7 +50,6 @@ def __init__(self, session_token):
             try:
                 jwt_info = validate_jwt(
                     session_token,
-                    aud="fence",
                     scope=None,
                     purpose="session",
                     public_key=default_public_key(),
@@ -79,7 +78,6 @@ def _get_initial_session_token(self):
 
         initial_token = validate_jwt(
             session_token,
-            aud="fence",
             scope=None,
             purpose="session",
             public_key=default_public_key(),

tests/oidc/core/authorization/test_max_age.py

@@ -29,5 +29,5 @@ def test_id_token_contains_auth_time(oauth_test_client):
     data = {"confirm": "yes", "max_age": 3600}
     oauth_test_client.authorize(data=data)
     id_token = oauth_test_client.token().id_token
-    id_token_claims = validate_jwt(id_token, aud="test-client")
+    id_token_claims = validate_jwt(id_token)
     assert "auth_time" in id_token_claims

tests/oidc/core/token/test_id_token.py

@@ -135,7 +135,7 @@ def test_id_token_has_nonce(oauth_test_client):
     data = {"confirm": "yes", "nonce": nonce}
     oauth_test_client.authorize(data=data)
     response_json = oauth_test_client.token(data=data).response.json
-    id_token = validate_jwt(response_json["id_token"], aud="test-client")
+    id_token = validate_jwt(response_json["id_token"])
     assert "nonce" in id_token
     assert nonce == id_token["nonce"]
 
@@ -144,6 +144,6 @@ def test_aud(client, oauth_client, id_token):
     """
     Test that the audiences of the ID token contain the OAuth client id.
     """
-    id_claims = validate_jwt(id_token, aud=oauth_client.client_id)
+    id_claims = validate_jwt(id_token)
     assert "aud" in id_claims
     assert oauth_client.client_id in id_claims["aud"]

tests/oidc/core/token/test_refresh.py

@@ -27,15 +27,13 @@
 
 def test_same_claims(oauth_test_client, token_response_json):
     original_id_token = token_response_json["id_token"]
-    original_claims = validate_jwt(original_id_token, aud=oauth_test_client.client_id)
+    original_claims = validate_jwt(original_id_token)
     refresh_token = token_response_json["refresh_token"]
     refresh_token_response = oauth_test_client.refresh(
         refresh_token=refresh_token
     ).response
     assert "id_token" in refresh_token_response.json
-    new_claims = validate_jwt(
-        refresh_token_response.json["id_token"], aud=oauth_test_client.client_id
-    )
+    new_claims = validate_jwt(refresh_token_response.json["id_token"])
     assert original_claims["iss"] == new_claims["iss"]
     assert original_claims["sub"] == new_claims["sub"]
     assert original_claims["iat"] <= new_claims["iat"]

tests/oidc/core/token/test_token_response.py

@@ -38,9 +38,7 @@ def test_id_token_required_fields(token_response):
     """
     assert "id_token" in token_response.json
     # Check that the ID token is a valid JWT.
-    id_token = validate_jwt(
-        token_response.json["id_token"], aud="test-client", scope={"openid"}
-    )
+    id_token = validate_jwt(token_response.json["id_token"], scope={"openid"})
     # Check for required fields.
     assert "pur" in id_token and id_token["pur"] == "id"
 
@@ -64,9 +62,7 @@ def test_access_token_correct_fields(token_response):
     expected fields.
     """
     encoded_access_token = token_response.json["access_token"]
-    access_token = validate_jwt(
-        encoded_access_token, aud="test-client", scope={"openid"}
-    )
+    access_token = validate_jwt(encoded_access_token, scope={"openid"})
     access_token_fields = set(access_token.keys())
     expected_fields = {
         "pur",