From b29cd05f23d77426054581972ef4ddefd1be28b3 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Fri, 26 Jun 2026 00:22:24 +0200
Subject: [PATCH] fix(auth): allow OIDC tokens with non-client audience

---
 cashu/mint/auth/server.py                |  2 +-
 tests/mint/test_mint_auth_server_unit.py | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/cashu/mint/auth/server.py b/cashu/mint/auth/server.py
index 24ec351a8..3de3a067d 100644
--- a/cashu/mint/auth/server.py
+++ b/cashu/mint/auth/server.py
@@ -109,8 +109,8 @@ def _verify_decode_jwt(self, clear_auth_token: str) -> Any:
                 clear_auth_token,
                 signing_key.key,
                 algorithms=["RS256", "ES256"],
-                audience=settings.mint_auth_oicd_client_id,
                 issuer=self.issuer,
+                options={"verify_aud": False},
             )
             logger.trace(f"Decoded JWT: {decoded}")
             # Bind the token to this mint's OIDC client. Keycloak puts the client
diff --git a/tests/mint/test_mint_auth_server_unit.py b/tests/mint/test_mint_auth_server_unit.py
index afeffe6ee..c0939d7d4 100644
--- a/tests/mint/test_mint_auth_server_unit.py
+++ b/tests/mint/test_mint_auth_server_unit.py
@@ -298,10 +298,12 @@ def __init__(self, key):
     assert decoded_no_azp["sub"] == "bob"
 
 
-def test_verify_decode_jwt_rejects_mismatched_audience(monkeypatch):
+def test_verify_decode_jwt_accepts_non_client_audience(monkeypatch):
     import jwt
     from cryptography.hazmat.primitives.asymmetric import rsa
 
+    from cashu.core.settings import settings
+
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     public_key = private_key.public_key()
 
@@ -318,19 +320,20 @@ def __init__(self, key):
 
     ledger.jwks_client = cast(Any, MockJWKSClient())
 
-    # Token with mismatched audience
+    # NUT-21 does not require access token audience to match the OIDC client id.
     token = jwt.encode(
         {
             "iss": "https://issuer.test",
-            "aud": "wrong-client",
+            "aud": "account",
+            "azp": settings.mint_auth_oicd_client_id,
             "sub": "alice",
         },
         private_key,
         algorithm="RS256",
     )
 
-    with pytest.raises(jwt.InvalidTokenError):
-        ledger._verify_decode_jwt(token)
+    decoded = ledger._verify_decode_jwt(token)
+    assert decoded["sub"] == "alice"
 
 
 def test_verify_decode_jwt_rejects_mismatched_azp(monkeypatch):