-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verification of at_hash == access_token #566
Comments
Hi. Now when pointed out the About the original question. Im guessing this The need to do custom things with JWT tokens is growing all the time and when designing the new 3.0 interfaces I think we can support these kind of usecases a lot easier, now it would just be yet another if-else.... |
Ah, I think we will wait until version 3 then. Also the at_hash think can wait until version 3 and I could help implement that. I will probably try to implement it myself in my operation. I can test version 3 when it is ready if you want to. Something you want help with with version 3? |
There is version-3.0 branch on this repo. Been slowly sketching out things on that one trying to keep somewhat backwards compatibility. Currently trying to unravel the claim validations from the current form into separate classes... |
I am working on a connection to IdPorten in Norway. We use JWTs here. I am porting some example scripts over to ruby and it seems like the python package python-jose includes verification of
at_hash
. https://github.com/mpdavis/python-jose/blob/4b0701b46a8d00988afcc5168c2b3a1fd60d15d8/jose/jwt.py#L426-L458I haven't tried to look in the spec to see what the standards say. Would you be open to a merge request with this verification? Where is the official spec for this?
Also, I find it quite strange that when you call decode with aud but skip verify_aud it doesn't verify. Why would I pass the aud if I don't want it to verify? Also, the third argument is called verify but seems to work as a kill switch for all verifications.
I would like to switch the default value verify_* to true
The text was updated successfully, but these errors were encountered: