Add test for unauthorized audience

lib/galaxy/authnz/managers.py

@@ -421,14 +421,11 @@ def find_user_by_access_token_in_provider(self, sa_session, provider, access_tok
                 return user
             return None
         except Exception as e:
-            msg = f"An error occurred when finding user by token: {e}"
+            msg = f"An error occurred with provider: {provider} when finding user by token: {e}"
             log.error(msg)
             return None
 
     def find_user_by_access_token(self, sa_session, access_token):
-        # decoded_token = jwt.decode(access_token, options={"verify_signature": False})
-        # issuer = decoded_token["iss"]
-        # audience = decoded_token["aud"]
         for provider in self.oidc_backends_config:
             user = self.find_user_by_access_token_in_provider(sa_session, provider, access_token)
             if user:

test/integration/oidc/test_auth_oidc.py

@@ -242,6 +242,13 @@ def test_auth_with_another_authorized_client(self):
         access_token = self._get_keycloak_access_token(client_id="bpaclient", scopes=["gx:*"])
         response = self._get("users/current", headers={"Authorization": f"Bearer {access_token}"})
         self._assert_status_code_is(response, 200)
+        assert response.json()["email"] == "[email protected]"
+
+    def test_auth_with_authorized_client_but_unauthorized_audience(self):
+        _, response = self._login_via_keycloak("bpaonlyuser", KEYCLOAK_TEST_PASSWORD)
+        access_token = self._get_keycloak_access_token(client_id="bpaclient", username="bpaonlyuser")
+        response = self._get("users/current", headers={"Authorization": f"Bearer {access_token}"})
+        self._assert_status_code_is(response, 400)
 
     def test_auth_with_unauthorized_client(self):
         _, response = self._login_via_keycloak(KEYCLOAK_TEST_USERNAME, KEYCLOAK_TEST_PASSWORD)