This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new 8a2852d Add issuer and audience to JWTs
8a2852d is described below
commit 8a2852d225975f9668a40da78a19b56f586ab332
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Jan 16 20:45:48 2026 +0000
Add issuer and audience to JWTs
---
atr/jwtoken.py | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index fd3de39..7e27174 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -30,6 +30,8 @@ import quart
import atr.config as config
_ALGORITHM: Final[str] = "HS256"
+_ATR_JWT_AUDIENCE: Final[str] = "atr-api-pat-test-v1"
+_ATR_JWT_ISSUER: Final[str] = f"https://{config.get().APP_HOST}/"
_GITHUB_OIDC_AUDIENCE: Final[str] = "atr-test-v1"
_GITHUB_OIDC_EXPECTED: Final[dict[str, str]] = {
"enterprise": "the-asf",
@@ -48,6 +50,8 @@ def issue(uid: str, *, ttl: int = 90 * 60) -> str:
now = datetime.datetime.now(tz=datetime.UTC)
payload = {
"sub": uid,
+ "iss": _ATR_JWT_ISSUER,
+ "aud": _ATR_JWT_AUDIENCE,
"iat": now,
"exp": now + datetime.timedelta(seconds=ttl),
"jti": secrets.token_hex(128 // 8),
@@ -86,7 +90,14 @@ def unverified_header_and_payload(jwt_value: str) ->
dict[str, Any]:
def verify(token: str) -> dict[str, Any]:
- return jwt.decode(token, _JWT_SECRET_KEY, algorithms=[_ALGORITHM])
+ return jwt.decode(
+ token,
+ _JWT_SECRET_KEY,
+ algorithms=[_ALGORITHM],
+ issuer=_ATR_JWT_ISSUER,
+ audience=_ATR_JWT_AUDIENCE,
+ options={"require": ["sub", "iss", "aud", "iat", "exp", "jti"]},
+ )
async def verify_github_oidc(token: str) -> dict[str, Any]:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
