Allows multiple values for 'iss'

theashguy · Jul 27, 2016 · a72158c · a72158c
1 parent 8766f13
commit a72158c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 5 deletions.
diff --git a/jose/jwt.py b/jose/jwt.py
@@ -72,9 +72,9 @@ def decode(token, key, algorithms=None, options=None, audience=None,
  audience (str): The intended audience of the token. If the "aud" claim is
  included in the claim set, then the audience must be included and must equal
  the provided claim.
- issuer (str): The issuer of the token. If the "iss" claim is
- included in the claim set, then the issuer must be included and must equal
- the provided claim.
+ issuer (str or iterable): Acceptable value(s) for the issuer of the token.
+ If the "iss" claim is included in the claim set, then the issuer must be
+ given and the claim in the token must be among the acceptable values.
  subject (str): The subject of the token. If the "sub" claim is
  included in the claim set, then the subject must be included and must equal
  the provided claim.
@@ -345,11 +345,14 @@ def _validate_iss(claims, issuer=None):
 
  Args:
  claims (dict): The claims dictionary to validate.
- issuer (str): The issuer that sent the token.
+ issuer (str or iterable): Acceptable value(s) for the issuer that
+ signed the token.
  """
 
  if issuer is not None:
- if claims.get('iss') != issuer:
+ if isinstance(issuer, string_types):
+ issuer = [issuer]
+ if claims.get('iss') not in issuer:
  raise JWTClaimsError('Invalid issuer')
 
 

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -347,6 +347,17 @@ def test_iss_string(self, key):
  token = jwt.encode(claims, key)
  jwt.decode(token, key, issuer=iss)
 
+ def test_iss_list(self, key):
+
+ iss = 'issuer'
+
+ claims = {
+ 'iss': iss
+ }
+
+ token = jwt.encode(claims, key)
+ jwt.decode(token, key, issuer=['https://issuer', 'issuer'])
+
  def test_iss_invalid(self, key):
 
  iss = 'issuer'