Add support for `aud` (audience) and `iss` (issuer) claims in tokens

[diegocastrum]

The Token class currently lacks support for setting and verifying the aud (audience) and iss (issuer) claims, which are part of the JWT standard as defined in RFC 7519. These claims are essential for validating tokens in multi-service/tenant environments where tokens are issued by one service and consumed by another.

Proposed Solution

• Add Methods to Set and Verify Claims:

  • Introduce methods like set_aud and set_iss to populate the aud and iss claims when creating tokens.
  • Add a verify_aud and verify_iss method to validate these claims during token verification.

• Configuration Options:

  • Add settings in api_settings to define default values for aud and iss claims.
  • Allow these settings to be overridden dynamically when creating tokens.

• Backward Compatibility:

  • Ensure that these changes are optional and do not break existing functionality for users who do not require aud and iss claims.

[yashzod]

djangorestframework-simplejwt/rest_framework_simplejwt/backends.py

Line 151 in 890e136

def decode(self, token: Token, verify: bool = True) -> dict[str, Any]:

@diegocastrum Please check the decode method, issuer and audience are already being checked here.

[diegocastrum]

Thanks @yashzod, I really appreciate your feedback! I also noticed this locally while working on it.

This feature allows dynamic issuer setting during token creation, but the validation logic doesn’t support checking against different issuers yet, it only validates against the global issuer configured in the settings.

To solve this kind of architectural inconsistency, I was thinking of extracting the issuer from the token before validation and passing it explicitly to PyJWT.