feat(embedded): aud claim and type for guest token (#18651)

* add aud claim and type for guest token * update test * lint * make jwt audience configurable * lint * Apply suggestions from code review Co-authored-by: David Aaron Suddjian <1858430+suddjian@users.noreply.github.com> * verify aud * add tests for aud and type claim Co-authored-by: David Aaron Suddjian <1858430+suddjian@users.noreply.github.com>
2026-04-21 00:54:44 +00:00 · 2022-02-14 10:43:35 -08:00
parent 4001165f55
commit e6ea197e9f
4 changed files with 72 additions and 3 deletions
--- a/tests/integration_tests/security/api_tests.py
+++ b/tests/integration_tests/security/api_tests.py
@@ -22,6 +22,7 @@ import jwt

 from tests.integration_tests.base_tests import SupersetTestCase
 from flask_wtf.csrf import generate_csrf
+from superset.utils.urls import get_url_host


 class TestSecurityCsrfApi(SupersetTestCase):
@@ -90,6 +91,8 @@ class TestSecurityGuestTokenApi(SupersetTestCase):

        self.assert200(response)
        token = json.loads(response.data)["token"]
-        decoded_token = jwt.decode(token, self.app.config["GUEST_TOKEN_JWT_SECRET"])
+        decoded_token = jwt.decode(
+            token, self.app.config["GUEST_TOKEN_JWT_SECRET"], audience=get_url_host()
+        )
        self.assertEqual(user, decoded_token["user"])
        self.assertEqual(resource, decoded_token["resources"][0])