Allow missing 'aud' when none specified (#39283)

thomasballinger · Convex, Inc. · commit 422745112bbd · 2025-07-19T23:45:44.000Z
GitOrigin-RevId: 999194d88f7444d9fbbe4bf731ca3a9083437fde
diff --git a/crates/authentication/src/lib.rs b/crates/authentication/src/lib.rs
@@ -196,18 +196,14 @@ where
                  that matches one of your configured auth providers."
             ));
         };
-        let Some(audiences) = payload.registered.audience else {
-            anyhow::bail!(ErrorMetadata::unauthenticated(
-                "InvalidAuthHeader",
-                "Missing audience claim ('aud') in JWT payload. The JWT must include an 'aud' \
-                 claim that matches your configured application ID."
-            ));
-        };
-        let audiences = match audiences {
-            biscuit::SingleOrMultiple::Single(audience) => vec![audience],
-            biscuit::SingleOrMultiple::Multiple(audiences) => audiences,
+        let audiences = match payload.registered.audience {
+            Some(biscuit::SingleOrMultiple::Single(audience)) => vec![audience],
+            Some(biscuit::SingleOrMultiple::Multiple(audiences)) => audiences,
+            None => vec![],
         };
-        // Find the provider matching this token
+        // Find the first provider matching this token.
+        // `iss` claim must match the provider's issuer but 'aud' claim is only
+        // required to match if the provider has an applicationId specified.
         let auth_info = auth_infos
             .iter()
             .find(|info| info.matches_token(&audiences, &issuer))
@@ -320,13 +316,12 @@ where
 
                     let detailed_msg = if let Some(kid) = kid {
                         format!(
-                            "Could not decode token. The JWT's 'kid' (key ID) header is '{}' but \
-                             this doesn't match any key in the provider's JWKS.",
+                            "Could not decode token. The JWT's 'kid' (key ID) header is '{}', \
+                             does this key match any key in the provider's JWKS?",
                             kid
                         )
                     } else {
-                        "Could not decode token. The JWT is missing a 'kid' (key ID) header, or \
-                         the JWT signature is invalid."
+                        "Could not decode token. JWT may be missing a 'kid' (key ID) header."
                             .to_string()
                     };
 
@@ -361,14 +356,14 @@ where
                     format!("Invalid issuer: {} != {}", token_issuer, issuer)
                 ));
             }
-            let Some(ref token_audience) = payload.registered.audience else {
-                anyhow::bail!(ErrorMetadata::unauthenticated(
-                    "InvalidAuthHeader",
-                    "Missing audience claim ('aud') in JWT payload. The JWT must include an 'aud' \
-                     claim that matches your configured application ID."
-                ));
-            };
             if let Some(application_id) = application_id {
+                let Some(ref token_audience) = payload.registered.audience else {
+                    anyhow::bail!(ErrorMetadata::unauthenticated(
+                        "InvalidAuthHeader",
+                        "Missing audience claim ('aud') in JWT payload. The JWT must include an \
+                         'aud' claim that matches your configured application ID."
+                    ));
+                };
                 if !token_audience
                     .iter()
                     .any(|audience| audience == &application_id)
@@ -392,12 +387,13 @@ where
             };
             decoded_token
                 .validate(validation_options)
-                .with_context(|| {
+                .map_err(|original_error| {
+                    eprintln!("Original validation error: {:?}", original_error);
+                    let msg = original_error.to_string();
+
                     ErrorMetadata::unauthenticated(
                         "InvalidAuthHeader",
-                        "Could not validate token. This often happens due to timing issues: check \
-                         that your JWT's 'iat' (issued at) and 'exp' (expires) claims are valid \
-                         for the current time.",
+                        format!("Could not validate token: {}", msg),
                     )
                 })?;
             UserIdentity::from_custom_jwt(decoded_token, token_str.0).context(
diff --git a/npm-packages/js-integration-tests/auth.test.ts b/npm-packages/js-integration-tests/auth.test.ts
@@ -7,11 +7,11 @@ import { privateKeyPEM, kid as correctKid } from "./authCredentials";
 async function createSignedJWT(
   payload: any,
   options: {
-    issuer?: string;
-    audience?: string;
+    issuer?: string | null;
+    audience?: string | null;
     expiresIn?: string;
     subject?: string;
-    issuedAt?: string;
+    issuedAt?: string | null;
     alg?: "RS256" | "ES256" | (string & { ignore_me?: never });
     useKid?: "wrong kid" | "missing kid" | "correct kid";
   } = {},
@@ -34,18 +34,20 @@ async function createSignedJWT(
         ? "key-2 (oops, this is the wrong kid!)"
         : undefined;
 
-  let jwtBuilder = new SignJWT(payload)
-    .setProtectedHeader({
-      kid,
-      alg,
-    })
-    .setIssuedAt(issuedAt);
+  let jwtBuilder = new SignJWT(payload).setProtectedHeader({
+    kid,
+    alg,
+  });
+
+  if (issuedAt !== null) {
+    jwtBuilder = jwtBuilder.setIssuedAt(issuedAt);
+  }
 
-  if (issuer !== undefined) {
+  if (issuer !== null) {
     jwtBuilder = jwtBuilder.setIssuer(issuer);
   }
 
-  if (audience !== undefined) {
+  if (audience !== null) {
     jwtBuilder = jwtBuilder.setAudience(audience);
   }
 
@@ -119,16 +121,6 @@ describe("auth debugging", () => {
       expect(logger.logs).toEqual([]);
     });
 
-    test("missing kid", async () => {
-      const error = await getErrorFromJwt(
-        await createSignedJWT({ name: "Presley" }, { useKid: "missing kid" }),
-      );
-      // The exact error message may vary, but should be enhanced
-      expect(error.code).toEqual("InvalidAuthHeader");
-      expect(error.message).toContain("JWT");
-      expect(logger.logs).toEqual([]);
-    });
-
     test("no auth provider found - enhanced error message", async () => {
       const error = await getErrorFromJwt(
         await createSignedJWT(
@@ -149,7 +141,7 @@ describe("auth debugging", () => {
         "CustomJWT(issuer=https://issuer.example.com/1, app_id=App 1)",
       );
       expect(error.message).toContain(
-        "CustomJWT(issuer=https://issuer.example.com/2, app_id=none)",
+        "CustomJWT(issuer=https://issuer.example.com/no-aud-specified, app_id=none)",
       );
       expect(error.message).toContain(
         "CustomJWT(issuer=https://issuer.example.com/3, app_id=App 3)",
@@ -158,35 +150,73 @@ describe("auth debugging", () => {
     });
 
     test("missing issuer claim", async () => {
-      // Create a JWT without an issuer claim
-      try {
-        const jwt = await createSignedJWT({ name: "Presley" }, {
-          issuer: undefined,
-        } as any);
-        const error = await getErrorFromJwt(jwt);
-        expect(error.code).toEqual("InvalidAuthHeader");
-        expect(error.message).toContain("issuer");
-        expect(error.message).toContain("iss");
-      } catch (e) {
-        // JWT creation might fail, which is also valid behavior
-        console.log("JWT creation failed for missing issuer");
-      }
+      const jwt = await createSignedJWT(
+        { name: "Presley" },
+        {
+          issuer: null,
+        },
+      );
+      const error = await getErrorFromJwt(jwt);
+      expect(error.code).toEqual("InvalidAuthHeader");
+      expect(error.message).toContain("issuer");
+      expect(error.message).toContain("iss");
     });
 
     test("missing audience claim", async () => {
-      // Create a JWT without an audience claim
-      try {
-        const jwt = await createSignedJWT({ name: "Presley" }, {
-          audience: undefined,
-        } as any);
-        const error = await getErrorFromJwt(jwt);
-        expect(error.code).toEqual("InvalidAuthHeader");
-        expect(error.message).toContain("audience");
-        expect(error.message).toContain("aud");
-      } catch (e) {
-        // JWT creation might fail, which is also valid behavior
-        console.log("JWT creation failed for missing audience");
-      }
+      const jwt = await createSignedJWT(
+        { name: "Presley" },
+        {
+          audience: null,
+        },
+      );
+      const error = await getErrorFromJwt(jwt);
+      expect(error.code).toEqual("NoAuthProvider");
+    });
+
+    test("missing kid", async () => {
+      const error = await getErrorFromJwt(
+        await createSignedJWT({ name: "Presley" }, { useKid: "missing kid" }),
+      );
+      expect(error.code).toEqual("InvalidAuthHeader");
+      expect(error.message).toContain("missing a 'kid'");
+      expect(logger.logs).toEqual([]);
+    });
+
+    test("wrong audience claim", async () => {
+      const jwt = await createSignedJWT(
+        { name: "Presley" },
+        {
+          audience: "asdf",
+        },
+      );
+      const error = await getErrorFromJwt(jwt);
+      expect(error.code).toEqual("NoAuthProvider");
+    });
+
+    test("audience claim allowed when none required", async () => {
+      const jwt = await createSignedJWT(
+        { name: "Presley" },
+        {
+          issuer: "https://issuer.example.com/no-aud-specified",
+          audience: "asdf",
+        },
+      );
+      httpClient.setAuth(jwt);
+      const result = await httpClient.query(api.auth.q);
+      expect(result?.name).toEqual("Presley");
+    });
+
+    test("missing audience claim allowed when none required", async () => {
+      const jwt = await createSignedJWT(
+        { name: "Presley" },
+        {
+          issuer: "https://issuer.example.com/no-aud-specified",
+          audience: null,
+        },
+      );
+      httpClient.setAuth(jwt);
+      const result = await httpClient.query(api.auth.q);
+      expect(result?.name).toEqual("Presley");
     });
 
     test("wrong kid", async () => {
@@ -209,6 +239,7 @@ describe("auth debugging", () => {
       expect(error.message).toContain("three base64-encoded parts");
     });
 
+    // Integration tests that hit real APIs are a bummer, TODO hit something else
     // eslint-disable-next-line jest/no-disabled-tests
     test.skip("unreachable JWKS URL", async () => {
       // Use App 3 which has a non-existent JWKS URL
@@ -244,6 +275,18 @@ describe("auth debugging", () => {
       expect(error.message).toContain("not valid JSON");
     });
 
+    test("token expired 10 seconds ago", async () => {
+      const error = await getErrorFromJwt(
+        await createSignedJWT(
+          { name: "Presley" },
+          { issuedAt: "20 sec ago", expiresIn: "10 sec ago" },
+        ),
+      );
+      expect(error.code).toEqual("InvalidAuthHeader");
+      expect(error.message).toContain("Token expired");
+      expect(error.message).toContain("seconds ago");
+    });
+
     test("token issued 3 seconds in future", async () => {
       // Should succeed with 5-second tolerance
       httpClient.setAuth(
@@ -265,8 +308,17 @@ describe("auth debugging", () => {
         ),
       );
       expect(error.code).toEqual("InvalidAuthHeader");
-      expect(error.message).toContain("timing issues");
-      expect(error.message).toContain("iat");
+      expect(error.message).toContain("will be valid in");
+    });
+
+    // Not recommended (some client logic may expect an iat) but not required.
+    test("missing iat", async () => {
+      httpClient.setAuth(
+        await createSignedJWT({ name: "Presley" }, { issuedAt: null }),
+      );
+      const result = await httpClient.query(api.auth.q);
+      expect(result?.subject).toEqual("The Subject");
+      expect(result?.name).toEqual("Presley");
     });
   });
 });
diff --git a/npm-packages/js-integration-tests/convex/auth.config.ts b/npm-packages/js-integration-tests/convex/auth.config.ts
@@ -1,5 +1,8 @@
 import { jwksDataUri } from "../authCredentials.js";
 
+// This deploy needs to succeed for these tests to work so these providers
+// all need to be valid. Invalid providers and the error messages they cause
+// are tested in analyze tests.
 export default {
   providers: [
     {
@@ -13,7 +16,7 @@ export default {
       type: "customJwt",
       // application ID (aud) is not required
       //applicationID: "App 2",
-      issuer: "https://issuer.example.com/2",
+      issuer: "https://issuer.example.com/no-aud-specified",
       jwks: jwksDataUri,
       algorithm: "RS256",
     },
