fix(auth): allow OIDC tokens with non-client audience

cashu/mint/auth/server.py

@@ -109,8 +109,8 @@ def _verify_decode_jwt(self, clear_auth_token: str) -> Any:
                 clear_auth_token,
                 signing_key.key,
                 algorithms=["RS256", "ES256"],
-                audience=settings.mint_auth_oicd_client_id,
                 issuer=self.issuer,
+                options={"verify_aud": False},
             )
             logger.trace(f"Decoded JWT: {decoded}")
             # Bind the token to this mint's OIDC client. Keycloak puts the client

tests/mint/test_mint_auth_server_unit.py

@@ -298,10 +298,12 @@ def __init__(self, key):
     assert decoded_no_azp["sub"] == "bob"
 
 
-def test_verify_decode_jwt_rejects_mismatched_audience(monkeypatch):
+def test_verify_decode_jwt_accepts_non_client_audience(monkeypatch):
     import jwt
     from cryptography.hazmat.primitives.asymmetric import rsa
 
+    from cashu.core.settings import settings
+
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     public_key = private_key.public_key()
 
@@ -318,19 +320,20 @@ def __init__(self, key):
 
     ledger.jwks_client = cast(Any, MockJWKSClient())
 
-    # Token with mismatched audience
+    # NUT-21 does not require access token audience to match the OIDC client id.
     token = jwt.encode(
         {
             "iss": "https://issuer.test",
-            "aud": "wrong-client",
+            "aud": "account",
+            "azp": settings.mint_auth_oicd_client_id,
             "sub": "alice",
         },
         private_key,
         algorithm="RS256",
     )
 
-    with pytest.raises(jwt.InvalidTokenError):
-        ledger._verify_decode_jwt(token)
+    decoded = ledger._verify_decode_jwt(token)
+    assert decoded["sub"] == "alice"
 
 
 def test_verify_decode_jwt_rejects_mismatched_azp(monkeypatch):