From d17cb7e4a5564cb7de2c0e0758cdcf187824b2ce Mon Sep 17 00:00:00 2001
From: James <jafisher32@gmail.com>
Date: Tue, 5 Aug 2025 16:11:16 -0400
Subject: [PATCH 1/4] audience

---
 docker-compose.yaml                                     | 3 +++
 src/stac_auth_proxy/app.py                              | 1 +
 src/stac_auth_proxy/config.py                           | 1 +
 src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py | 3 +++
 4 files changed, 8 insertions(+)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 867cadb8..551a4991 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -91,6 +91,9 @@ services:
       UPSTREAM_URL: ${UPSTREAM_URL:-http://stac:8001}
       OIDC_DISCOVERY_URL: ${OIDC_DISCOVERY_URL:-http://localhost:8888/.well-known/openid-configuration}
       OIDC_DISCOVERY_INTERNAL_URL: ${OIDC_DISCOVERY_INTERNAL_URL:-http://oidc:8888/.well-known/openid-configuration}
+      AUDIENCE: ${AUDIENCE}
+
+
     env_file:
       - path: .env
         required: false
diff --git a/src/stac_auth_proxy/app.py b/src/stac_auth_proxy/app.py
index 90611a9f..a456ef2a 100644
--- a/src/stac_auth_proxy/app.py
+++ b/src/stac_auth_proxy/app.py
@@ -157,6 +157,7 @@ async def lifespan(app: FastAPI):
         private_endpoints=settings.private_endpoints,
         default_public=settings.default_public,
         oidc_discovery_url=settings.oidc_discovery_internal_url,
+        allowed_jwt_audiences=settings.audience,
     )
 
     if settings.root_path or settings.upstream_url.path != "/":
diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
index c1d8bedc..5c132a1f 100644
--- a/src/stac_auth_proxy/config.py
+++ b/src/stac_auth_proxy/config.py
@@ -39,6 +39,7 @@ class Settings(BaseSettings):
     upstream_url: HttpUrl
     oidc_discovery_url: HttpUrl
     oidc_discovery_internal_url: HttpUrl
+    audience: str
 
     root_path: str = ""
     override_host: bool = True
diff --git a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
index 7d7bc177..c7ebed3e 100644
--- a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
+++ b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
@@ -173,6 +173,9 @@ def validate_token(
                         detail="Not enough permissions",
                         headers={"WWW-Authenticate": f'Bearer scope="{scope}"'},
                     )
+
+        # if required_permissions:
+        #     for perm in required_permissions:
         return payload
 
     @property

From 4504c2b12a14e48545ee9d64c5b2000190c7ac2e Mon Sep 17 00:00:00 2001
From: James <jafisher32@gmail.com>
Date: Tue, 5 Aug 2025 22:34:23 -0400
Subject: [PATCH 2/4] docs

---
 docs/configuration.md                                   | 8 ++++++++
 src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py | 2 --
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index 631dcbcc..ac738aaf 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -79,6 +79,14 @@ The application is configurable via environment variables.
     **Required:** No, defaults to the value of `OIDC_DISCOVERY_URL`  
     **Example:** `http://auth/.well-known/openid-configuration`
 
+### `AUDIENCE` 
+
+: The unique identifier of your API resource server
+
+    The AUDIENCE environment variable specifies the intended recipient of OAuth2 access tokens. This value represents the unique identifier of your API resource server and must match the `aud` (audience) claim present in incoming OAuth2 access tokens. If undefined the API will not impose a check on the `aud` claim
+
+OAuth2 Audience Claim
+
 ### `DEFAULT_PUBLIC`
 
 : Default access policy for endpoints
diff --git a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
index c7ebed3e..8f26b025 100644
--- a/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
+++ b/src/stac_auth_proxy/middleware/EnforceAuthMiddleware.py
@@ -174,8 +174,6 @@ def validate_token(
                         headers={"WWW-Authenticate": f'Bearer scope="{scope}"'},
                     )
 
-        # if required_permissions:
-        #     for perm in required_permissions:
         return payload
 
     @property

From 27c8a7f0658c9cd66347562fe06cff45a8e0bb9f Mon Sep 17 00:00:00 2001
From: James <jafisher32@gmail.com>
Date: Tue, 5 Aug 2025 22:53:04 -0400
Subject: [PATCH 3/4] audience default

---
 src/stac_auth_proxy/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
index 5c132a1f..49a0ce4e 100644
--- a/src/stac_auth_proxy/config.py
+++ b/src/stac_auth_proxy/config.py
@@ -39,7 +39,7 @@ class Settings(BaseSettings):
     upstream_url: HttpUrl
     oidc_discovery_url: HttpUrl
     oidc_discovery_internal_url: HttpUrl
-    audience: str
+    audience: str = None
 
     root_path: str = ""
     override_host: bool = True

From 5527edcc142c91fdfa3dbc01ee98c038df59b566 Mon Sep 17 00:00:00 2001
From: James <jafisher32@gmail.com>
Date: Tue, 5 Aug 2025 22:54:49 -0400
Subject: [PATCH 4/4] optional

---
 src/stac_auth_proxy/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stac_auth_proxy/config.py b/src/stac_auth_proxy/config.py
index 49a0ce4e..27496238 100644
--- a/src/stac_auth_proxy/config.py
+++ b/src/stac_auth_proxy/config.py
@@ -39,7 +39,7 @@ class Settings(BaseSettings):
     upstream_url: HttpUrl
     oidc_discovery_url: HttpUrl
     oidc_discovery_internal_url: HttpUrl
-    audience: str = None
+    audience: Optional[str] = None
 
     root_path: str = ""
     override_host: bool = True