From bafcdeaa8b548b86a67d0708e6cf16ea19ee3bf9 Mon Sep 17 00:00:00 2001
From: Stu Alexander <thestumonkey@gmail.com>
Date: Mon, 5 Jan 2026 09:12:04 +0000
Subject: [PATCH 1/2] added JWT issuers for audience auth for service interop
 and shared user accounts

---
 .env.template                                      |  4 ++++
 backends/advanced/src/advanced_omi_backend/auth.py | 11 ++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/.env.template b/.env.template
index 328d3301..ed3b57d2 100644
--- a/.env.template
+++ b/.env.template
@@ -55,6 +55,10 @@ SPEAKER_SERVICE_URL=http://${DOMAIN}:${SPEAKER_PORT}
 # JWT secret key - make this random and long
 AUTH_SECRET_KEY=your-super-secret-jwt-key-here-make-it-random-and-long
 
+# JWT-token issuer ACCEPTED_ISSUERS can be a comma-separated list of accepted issuers
+# defaults to 'chronicle' if not set
+# ACCEPTED_ISSUERS=chronicle
+
 # Admin account
 ADMIN_EMAIL=admin@example.com
 ADMIN_PASSWORD=secure-admin-password
diff --git a/backends/advanced/src/advanced_omi_backend/auth.py b/backends/advanced/src/advanced_omi_backend/auth.py
index 7c68d0b4..f1b7909a 100644
--- a/backends/advanced/src/advanced_omi_backend/auth.py
+++ b/backends/advanced/src/advanced_omi_backend/auth.py
@@ -50,6 +50,14 @@ def _verify_configured(var_name: str, *, optional: bool = False) -> Optional[str
 ADMIN_PASSWORD = _verify_configured("ADMIN_PASSWORD")
 ADMIN_EMAIL = _verify_configured("ADMIN_EMAIL", optional=True) or "admin@example.com"
 
+# Accepted token issuers - comma-separated list of services whose tokens we accept
+# Default: "chronicle,ushadow" (accept tokens from both chronicle and ushadow)
+ACCEPTED_ISSUERS = [
+    iss.strip() 
+    for iss in os.getenv("ACCEPTED_TOKEN_ISSUERS", "chronicle,ushadow").split(",") 
+    if iss.strip()
+]
+logger.info(f"Accepting tokens from issuers: {ACCEPTED_ISSUERS}")
 
 class UserManager(BaseUserManager[User, PydanticObjectId]):
     """User manager with minimal customization for fastapi-users."""
@@ -100,7 +108,8 @@ async def get_user_manager(user_db=Depends(get_user_db)):
 def get_jwt_strategy() -> JWTStrategy:
     """Get JWT strategy for token generation and validation."""
     return JWTStrategy(
-        secret=SECRET_KEY, lifetime_seconds=JWT_LIFETIME_SECONDS
+        secret=SECRET_KEY, lifetime_seconds=JWT_LIFETIME_SECONDS,
+        token_audience=["fastapi-users:auth"] + ACCEPTED_ISSUERS
     )
 
 

From cfb9ceb9fd88d8535758fe26d7a8dda48a5c7aad Mon Sep 17 00:00:00 2001
From: Stu Alexander <thestumonkey@gmail.com>
Date: Tue, 6 Jan 2026 08:39:30 +0000
Subject: [PATCH 2/2] amended default value in line wioth code

---
 .env.template | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.env.template b/.env.template
index ed3b57d2..c2a4d8a2 100644
--- a/.env.template
+++ b/.env.template
@@ -56,8 +56,8 @@ SPEAKER_SERVICE_URL=http://${DOMAIN}:${SPEAKER_PORT}
 AUTH_SECRET_KEY=your-super-secret-jwt-key-here-make-it-random-and-long
 
 # JWT-token issuer ACCEPTED_ISSUERS can be a comma-separated list of accepted issuers
-# defaults to 'chronicle' if not set
-# ACCEPTED_ISSUERS=chronicle
+# defaults to 'chronicle,ushadow' if not set
+# ACCEPTED_ISSUERS=chronicle,ushadow
 
 # Admin account
 ADMIN_EMAIL=admin@example.com