From a6e60a5d4264b94dd13f2948e017acfb43681378 Mon Sep 17 00:00:00 2001
From: Heitor Carvalho <heitor.scz@gmail.com>
Date: Wed, 9 Jul 2025 18:09:01 -0300
Subject: [PATCH] fix: use production workos environment id (#3129)

---
 src/crewai/cli/authentication/constants.py |  2 +-
 src/crewai/cli/authentication/utils.py     | 13 +++++++++++--
 tests/cli/authentication/test_utils.py     |  2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/crewai/cli/authentication/constants.py b/src/crewai/cli/authentication/constants.py
index c8c7dc5e6..0616d5407 100644
--- a/src/crewai/cli/authentication/constants.py
+++ b/src/crewai/cli/authentication/constants.py
@@ -5,4 +5,4 @@ AUTH0_AUDIENCE = "https://crewai.us.auth0.com/api/v2/"
 
 WORKOS_DOMAIN = "login.crewai.com"
 WORKOS_CLI_CONNECT_APP_ID = "client_01JYT06R59SP0NXYGD994NFXXX"
-WORKOS_ENVIRONMENT_ID = "client_01JNJQWB4HG8T5980R5VHP057C"
+WORKOS_ENVIRONMENT_ID = "client_01JNJQWBJ4SPFN3SWJM5T7BDG8"
diff --git a/src/crewai/cli/authentication/utils.py b/src/crewai/cli/authentication/utils.py
index e9ec6d45e..8b632ba37 100644
--- a/src/crewai/cli/authentication/utils.py
+++ b/src/crewai/cli/authentication/utils.py
@@ -30,6 +30,9 @@ def validate_jwt_token(
         jwk_client = PyJWKClient(jwks_url)
         signing_key = jwk_client.get_signing_key_from_jwt(jwt_token)
 
+        _unverified_decoded_token = jwt.decode(
+            jwt_token, options={"verify_signature": False}
+        )
         decoded_token = jwt.decode(
             jwt_token,
             signing_key.key,
@@ -49,9 +52,15 @@ def validate_jwt_token(
     except jwt.ExpiredSignatureError:
         raise Exception("Token has expired.")
     except jwt.InvalidAudienceError:
-        raise Exception(f"Invalid token audience. Expected: '{audience}'")
+        actual_audience = _unverified_decoded_token.get("aud", "[no audience found]")
+        raise Exception(
+            f"Invalid token audience. Got: '{actual_audience}'. Expected: '{audience}'"
+        )
     except jwt.InvalidIssuerError:
-        raise Exception(f"Invalid token issuer. Expected: '{issuer}'")
+        actual_issuer = _unverified_decoded_token.get("iss", "[no issuer found]")
+        raise Exception(
+            f"Invalid token issuer. Got: '{actual_issuer}'. Expected: '{issuer}'"
+        )
     except jwt.MissingRequiredClaimError as e:
         raise Exception(f"Token is missing required claims: {str(e)}")
     except jwt.exceptions.PyJWKClientError as e:
diff --git a/tests/cli/authentication/test_utils.py b/tests/cli/authentication/test_utils.py
index 0b2ed3cd3..c899aa57c 100644
--- a/tests/cli/authentication/test_utils.py
+++ b/tests/cli/authentication/test_utils.py
@@ -27,7 +27,7 @@ class TestValidateToken(unittest.TestCase):
             audience="app_id_xxxx",
         )
 
-        mock_jwt.decode.assert_called_once_with(
+        mock_jwt.decode.assert_called_with(
             "aaaaa.bbbbbb.cccccc",
             "mock_signing_key",
             algorithms=["RS256"],