fix(#25): this commit introduces audience assignment for client and validate in access token

https-richardy · https-richardy · commit 7651caef76cd · 2026-04-25T10:49:34.000-03:00
diff --git a/Applications/Backend/Tests/Integration/Endpoints/ConnectEndpointTests.cs b/Applications/Backend/Tests/Integration/Endpoints/ConnectEndpointTests.cs
@@ -284,6 +284,12 @@ public async Task WhenPostTokenWithValidAuthorizationCode_ShouldReturnAccessToke
         Assert.NotEmpty(clients);
         Assert.NotNull(client);
 
+        // arrange: assign client audience
+        var assignAudience = new AssignClientAudienceScheme { Value = "backend.api" };
+        var assignAudienceResponse = await realmAdminClient.PostAsJsonAsync($"api/v1/clients/{client.Id}/audiences", assignAudience);
+
+        Assert.Equal(HttpStatusCode.OK, assignAudienceResponse.StatusCode);
+
         // arrange: create user for realm
         var credentials = new IdentityEnrollmentCredentials
         {
@@ -341,6 +347,7 @@ public async Task WhenPostTokenWithValidAuthorizationCode_ShouldReturnAccessToke
             ExpiresAt = DateTime.UtcNow.AddMinutes(5),
             Metadata = new Dictionary<string, string>
             {
+                ["client.id"] = client.ClientId,
                 ["code.challenge"] = codeChallenge,
                 ["code.challenge.method"] = codeChallengeMethod
             }
@@ -367,5 +374,15 @@ public async Task WhenPostTokenWithValidAuthorizationCode_ShouldReturnAccessToke
         // assert: response should be 200 OK
         Assert.Equal(HttpStatusCode.OK, response.StatusCode);
         Assert.NotNull(grant);
+
+        var handler = new JwtSecurityTokenHandler();
+        var jwt = handler.ReadJwtToken(grant.AccessToken);
+        var audiences = jwt.Claims
+            .Where(claim => claim.Type == JwtRegisteredClaimNames.Aud)
+            .Select(claim => claim.Value)
+            .ToList();
+
+        Assert.Contains("backend.api", audiences);
+        Assert.DoesNotContain(realm.Name, audiences);
     }
 }
