@@ -47,7 +47,7 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
4747 if _now + skew < decoded .get ("nbf" , _now - 1 ): # nbf is optional per JWT specs
4848 # This is not an ID token validation, but a JWT validation
4949 # https://tools.ietf.org/html/rfc7519#section-4.1.5
50- err = "0. The ID token is not yet valid"
50+ err = "0. The ID token is not yet valid. "
5151 if issuer and issuer != decoded ["iss" ]:
5252 # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
5353 err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
@@ -57,7 +57,11 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
5757 valid_aud = client_id in decoded ["aud" ] if isinstance (
5858 decoded ["aud" ], list ) else client_id == decoded ["aud" ]
5959 if not valid_aud :
60- err = "3. The aud (audience) Claim must contain this client's client_id."
60+ err = (
61+ "3. The aud (audience) claim must contain this client's client_id "
62+ '"%s", case-sensitively. Was your client_id in wrong casing?'
63+ # Some IdP accepts wrong casing request but issues right casing IDT
64+ ) % client_id
6165 # Per specs:
6266 # 6. If the ID Token is received via direct communication between
6367 # the Client and the Token Endpoint (which it is during _obtain_token()),
@@ -67,9 +71,9 @@ def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None)
6771 err = "9. The current time MUST be before the time represented by the exp Claim."
6872 if nonce and nonce != decoded .get ("nonce" ):
6973 err = ("11. Nonce must be the same value "
70- "as the one that was sent in the Authentication Request" )
74+ "as the one that was sent in the Authentication Request. " )
7175 if err :
72- raise RuntimeError ("%s id_token was: %s" % (
76+ raise RuntimeError ("%s The id_token was: %s" % (
7377 err , json .dumps (decoded , indent = 2 )))
7478 return decoded
7579
0 commit comments