Do not fail in JWT decode() if at_hash claim is missing

Fixes mpdavis#75
leplatrem · Feb 2, 2018 · 2266973 · 2266973
1 parent 28cc671
commit 2266973
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 5 deletions.
diff --git a/jose/jwt.py b/jose/jwt.py
@@ -420,12 +420,11 @@ def _validate_at_hash(claims, access_token, algorithm):
     """
     if 'at_hash' not in claims and not access_token:
         return
+    elif access_token and 'at_hash' not in claims:
+        return
     elif 'at_hash' in claims and not access_token:
         msg = 'No access_token provided to compare against at_hash claim.'
         raise JWTClaimsError(msg)
-    elif access_token and 'at_hash' not in claims:
-        msg = 'at_hash claim missing from token.'
-        raise JWTClaimsError(msg)
 
     try:
         expected_hash = calculate_at_hash(access_token,

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -468,8 +468,8 @@ def test_at_hash_missing_access_token(self, claims, key):
 
     def test_at_hash_missing_claim(self, claims, key):
         token = jwt.encode(claims, key)
-        with pytest.raises(JWTError):
-            jwt.decode(token, key, access_token='<ACCESS_TOKEN>')
+        payload = jwt.decode(token, key, access_token='<ACCESS_TOKEN>')
+        assert 'at_hash' not in payload
 
     def test_at_hash_unable_to_calculate(self, claims, key):
         token = jwt.encode(claims, key, access_token='<ACCESS_TOKEN>')