jwt_auth_cognito 1.0.0.pre.beta.9 → 1.0.0.pre.beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +18 -0
  3. data/CLAUDE.md +1 -1
  4. data/lib/jwt_auth_cognito/jwks_service.rb +9 -2
  5. data/lib/jwt_auth_cognito/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5ec0550d58a587e152aa1a4c41cfce13691bb016f0b12e4525a671bc7fda153b
4
- data.tar.gz: 77a05aeb998b6bdeb8df90ffc93a78a3ad1c3565aeda43d4bdcf069713bb6295
3
+ metadata.gz: 97be07f0c6be821ad157fcf5c6b7a173fc6866145d2b738481aaa3b912c39703
4
+ data.tar.gz: 28f5119547d00881a8ccb84be5ca584cf81394a4ba1ce86cf1d5306855037f15
5
5
  SHA512:
6
- metadata.gz: 5a5f6a72cfebb9e1f805ba53b3561c544b2afc18f993af0759da596c02401e6bda2725a58837e2b5db1b818a5f44ae730c8b9057aa0a481530e8f3c035b70ae1
7
- data.tar.gz: 21e84bde860ae1d70dce2ecf5d32a40bcd6fb18af8eb815de9c6079de7996a9a488871c3b91eca0fd649c41d900863c155948e9c96caff507c75b3de3b9110b1
6
+ metadata.gz: e0d17203f3fdba6311fd43d56a451f4e454015f37ab91c7f1231ac334d2c8fb92b2c6fc05b08d109acd0386b3754fec1be1cc5b4bb5ae7e15e4483d9527f9d38
7
+ data.tar.gz: cc89ebd874a97fdac6fd6fe9c417d9e53f41658aab723a47e4df0c3551fe64dc447c507035d8daa42696a29f342a60d8c4a7987a5f880dd589d5ad41e8414805
data/CHANGELOG.md CHANGED
@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [1.0.0-beta.10] - 2025-01-23
11
+
12
+ ### Fixed
13
+
14
+ - **Audience Validation**: Fixed overly strict audience validation for AWS Cognito access tokens
15
+ - Access tokens from Cognito typically don't include 'aud' claim, only ID tokens do
16
+ - Modified JWKS validation to only enforce audience checking for ID tokens (`token_use: 'id'`)
17
+ - Access tokens (`token_use: 'access'`) now skip audience validation as per AWS Cognito standards
18
+ - Resolves "Invalid audience. Expected [client_id], received <none>" error for access tokens
19
+ - Maintains proper security validation for ID tokens
20
+
21
+ ### Improved
22
+
23
+ - **JWT Standards Compliance**: Enhanced compatibility with AWS Cognito token specifications
24
+ - Pre-decodes tokens to determine type before applying validation rules
25
+ - Follows AWS Cognito best practices for token type-specific validation
26
+ - Maintains backward compatibility with existing ID token validation
27
+
10
28
  ## [1.0.0-beta.9] - 2025-01-22
11
29
 
12
30
  ### Fixed
data/CLAUDE.md CHANGED
@@ -304,7 +304,7 @@ JWKS_CACHE_TTL=3600 # 1 hour
304
304
 
305
305
  ## Version Compatibility
306
306
 
307
- ### ✅ **Updated January 2025 - Version 1.0.0-beta.6**
307
+ ### ✅ **Updated January 2025 - Version 1.0.0-beta.10**
308
308
 
309
309
  **Stable production-ready beta with complete pipeline compatibility**
310
310
 
data/lib/jwt_auth_cognito/jwks_service.rb CHANGED
@@ -23,6 +23,13 @@ module JwtAuthCognito
23
23
  raise ValidationError, 'Token missing key ID (kid)' unless kid
24
24
 
25
25
  public_key = get_public_key(kid)
26
+ # First decode to check token type before audience validation
27
+ payload_preview = JWT.decode(token, nil, false).first
28
+
29
+ # Only verify audience for ID tokens, not access tokens
30
+ # Access tokens from Cognito might not have 'aud' claim
31
+ should_verify_aud = @config.cognito_client_id && payload_preview['token_use'] == 'id'
32
+
26
33
  decoded_token = JWT.decode(
27
34
  token,
28
35
  public_key,
@@ -31,8 +38,8 @@ module JwtAuthCognito
31
38
  algorithm: 'RS256',
32
39
  iss: @config.cognito_issuer,
33
40
  verify_iss: true,
34
- aud: @config.cognito_client_id,
35
- verify_aud: @config.cognito_client_id ? true : false
41
+ aud: should_verify_aud ? @config.cognito_client_id : nil,
42
+ verify_aud: should_verify_aud
36
43
  }
37
44
  )
38
45
 
data/lib/jwt_auth_cognito/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module JwtAuthCognito
4
- VERSION = '1.0.0-beta.9'
4
+ VERSION = '1.0.0-beta.10'
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: jwt_auth_cognito
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0.pre.beta.9
4
+ version: 1.0.0.pre.beta.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - The Optimal
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2025-09-22 00:00:00.000000000 Z
11
+ date: 2025-09-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-ssm