Merged J.S.'s PR.

Author: rohe

src/oidcendpoint/jwt_token.py

@@ -29,7 +29,7 @@ def add_claims(self, payload, uinfo, claims):
             except KeyError:
                 pass
 
-    def __call__(self, sid, uinfo, sinfo, **kwargs):
+    def __call__(self, sid, uinfo, sinfo, aud=None, **kwargs):
         """
         Return a token.
 
@@ -50,8 +50,7 @@ def __call__(self, sid, uinfo, sinfo, **kwargs):
         payload.update(kwargs)
         signer = JWT(key_jar=self.key_jar, iss=self.issuer,
                      lifetime=self.lifetime, sign_alg=self.alg)
-
-        _aud = [sinfo['client_id']]
+        _aud = aud if isinstance(aud, list) else [aud]
         _aud.extend(self.def_aud)
 
         return signer.pack(payload, aud=_aud)

src/oidcendpoint/session.py

@@ -290,11 +290,13 @@ def replace_token(self, sid, sinfo, token_type):
 
         return sinfo
 
-    def _make_at(self, sid, session_info):
+    def _make_at(self, sid, session_info, aud = None, client_id_aud = True):
         uid = self.sso_db.get_uid_by_sid(sid)
         uinfo = self.userinfo(uid, session_info['client_id'])
-        return self.handler['access_token'](sid=sid, sinfo=session_info,
-                                            uinfo=uinfo)
+        at_aud = aud or []
+        if client_id_aud:
+            at_aud.append(session_info['client_id'])
+        return self.handler['access_token'](sid=sid, sinfo=session_info, uinfo=uinfo, aud=at_aud)
 
     def upgrade_to_token(self, grant=None, issue_refresh=False, id_token="",
                          oidreq=None, key=None, scope=None):