Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should at_hash claim verification fail when missing from JWT? #75

Closed
leplatrem opened this issue Dec 17, 2017 · 3 comments
Closed

Should at_hash claim verification fail when missing from JWT? #75

leplatrem opened this issue Dec 17, 2017 · 3 comments

Comments

@leplatrem
Copy link
Contributor

It looks like at_hash in JWT payload is optional (see http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken).

However, in python-jose, when both id_token and access_token parameters are specified, decoding a JWT that has no at_hash claim raises an error (at_hash claim missing from token)
https://github.com/mpdavis/python-jose/pull/30/files#diff-b106d01229785c64375df96ca4b3f58cR422

Shouldn't it be acceptable since the spec says it's optional?

Obviously we can disable at_hash verification with the appropriate decode option, but we find it useful to perform claims verification on JWT that have it or not with the same code. Maybe with a allow_missing_at_hash option or something?

Huge thanks for this lib 😻
@leplatrem leplatrem mentioned this issue Dec 17, 2017
Closed
@mpdavis
Copy link
Owner

mpdavis commented Dec 18, 2017

You are correct, based on the spec, that shouldn't fail on a missing at_hash.

That shouldn't be too hard to fix up.

leplatrem added a commit to leplatrem/python-jose that referenced this issue Dec 19, 2017
@leplatrem
Do not fail in JWT decode() if at_hash claim is missing
a6923bb 
Fixes mpdavis#75
@leplatrem leplatrem mentioned this issue Dec 19, 2017
Merged
leplatrem added a commit to leplatrem/python-jose that referenced this issue Feb 2, 2018
@leplatrem
Do not fail in JWT decode() if at_hash claim is missing
2266973 
Fixes mpdavis#75
@manuel-koch
Copy link

Any chance this change (#76) can be released to PyPi ?
Most recent available version on PyPi is 3.0.1 from Aug 2018 and the fix seems to have been merged to master in Nov 2018.

@carletes
Copy link

Would it be possible to have this change available through PyPI in a new release?

I'm now doing a pip install git+https://github.com/mpdavis/python-jose, but it would be great to have this in PyPI.

@techdragon techdragon mentioned this issue Oct 16, 2019
Closed
@vikoivun vikoivun mentioned this issue Mar 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@carletes @mpdavis @leplatrem @manuel-koch