From 0f7686543657be27c087c1eba7df27af82ef4cbf Mon Sep 17 00:00:00 2001
From: Pauline <4224001+paulineribeyre@users.noreply.github.com>
Date: Fri, 27 Jan 2023 14:24:40 -0600
Subject: [PATCH] fix token audience/scopes validation

---
 sheepdog/blueprint/routes/views/__init__.py         |  6 +++++-
 sheepdog/blueprint/routes/views/program/__init__.py |  6 +++++-
 sheepdog/blueprint/routes/views/program/project.py  | 12 ++++++++++--
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/sheepdog/blueprint/routes/views/__init__.py b/sheepdog/blueprint/routes/views/__init__.py
index b58c0094..a6585676 100644
--- a/sheepdog/blueprint/routes/views/__init__.py
+++ b/sheepdog/blueprint/routes/views/__init__.py
@@ -54,7 +54,11 @@ def get_programs():
         }
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     with flask.current_app.db.session_scope():
         programs = current_app.db.nodes(models.Program.name).all()
     links = [flask.url_for(".get_projects", program=p[0]) for p in programs]
diff --git a/sheepdog/blueprint/routes/views/program/__init__.py b/sheepdog/blueprint/routes/views/program/__init__.py
index 3bd32c5a..ad551f98 100644
--- a/sheepdog/blueprint/routes/views/program/__init__.py
+++ b/sheepdog/blueprint/routes/views/program/__init__.py
@@ -59,7 +59,11 @@ def get_projects(program):
         }
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     with flask.current_app.db.session_scope():
         matching_programs = flask.current_app.db.nodes(models.Program).props(
             name=program
diff --git a/sheepdog/blueprint/routes/views/program/project.py b/sheepdog/blueprint/routes/views/program/project.py
index e623d9b4..10f5ce31 100644
--- a/sheepdog/blueprint/routes/views/program/project.py
+++ b/sheepdog/blueprint/routes/views/program/project.py
@@ -132,7 +132,11 @@ def get_project_dictionary(program=None, project=None):
         403: Unauthorized request.
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     keys = list(dictionary.schema.keys()) + ["_all"]
     links = [
         flask.url_for(
@@ -228,7 +232,11 @@ def get_project_dictionary_entry(program, project, entry):
         403: Unauthorized request.
     """
     if flask.current_app.config.get("AUTH_SUBMISSION_LIST", True) is True:
-        auth.validate_request(aud={"openid"}, purpose=None)
+        auth.validate_request(
+            scope={"openid"},
+            audience=flask.current_app.config.get("BASE_URL"),
+            purpose=None,
+        )
     return get_dictionary_entry(entry)