Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No "azp" field is created when using the SDK to create a JWT, thus no "azp" can be used when validating the JWT #90

Open
aaronmaxcarver opened this issue Feb 2, 2025 · 1 comment

Comments

@aaronmaxcarver
Copy link

There's no "azp" field returned in the JWT when using the SDK to fetch a JWT. This happens for the default JWT and for JWT templates.

The docs call out that "azp" will be included automatically (see here):

  // default claims, included automatically
  "azp": "http://localhost:3000",

And the JWT Template builder prevents adding "azp":

You can't use the reserved claim: azp

But when using the SDK is used to fetch a JWT for a session:

async with Clerk(bearer_auth=CLERK_SECRET_KEY) as clerk:
    res = await clerk.sessions.create_session_token_async(
        session_id="REDACTED"
    )
    assert res is not None

jwt_token = res.jwt
print(jwt_token)

The decoded JWT value has no azp key:

{
  "email_verified": true,
  "exp": 1738520013,
  "fva": [
    5370,
    -1
  ],
  "iat": 1738519953,
  "iss": "https://REDACTED.clerk.accounts.dev",
  "jti": "REDACTED",
  "nbf": 1738519943,
  "primary_email_address": "REDACTED",
  "public_metadata": {
    "admin": "true"
  },
  "sid": "REDACTED",
  "sub": "REDACTED"
}

So when that JWT is checked by Clerk authenticate request, there's no way to enforce "azp". (Removing the options entirely does allow the JWT to be validated.)

    clerk = Clerk(bearer_auth=os.getenv("CLERK_SECRET_KEY"))
    auth_result: RequestState = clerk.authenticate_request(
        request,  # type: ignore
        AuthenticateRequestOptions(
            authorized_parties=azp,
        ),
    )

Result:

RequestState(status=<AuthStatus.SIGNED_OUT: 'signed-out'>, reason=<TokenVerificationErrorReason.TOKEN_INVALID_AUTHORIZED_PARTIES: ('token-invalid-authorized-parties', 'Authorized party claim (azp) does not match any of the authorized parties.')>, token=None, payload=None)

Please add the "azp" key by default or allow some way to get it, e.g. via setting the value in the JWT Template or passing the value as a parameter in the SDK calls for fetching JWTs.

@aaronmaxcarver
Copy link
Author

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant