python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard

Published 20 hours ago verified publisher icon mpdavis

issuer check incorrect

Open topher96 opened this issue 7 years ago • 2 comments

https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L75 issuer (str or iterable) – Acceptable value(s) for the issuer of the token. If the “iss” claim is included in the claim set, then the issuer must be given and the claim in the token must be among the acceptable values

The logic in the code is different from the description above - it only checks the issuer if one is passed to the api but the description above says the opposite. -ie if there is an issuer in the claims then it must be passed into the api.

https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L354

topher96 avatar May 22 '18 23:05 topher96

Same thing with 'sub' claim. I believe the code is right and it's the documentation that is incorrect in both cases.

bgdnlp avatar May 12 '19 11:05 bgdnlp

Yeah that docstring could definitely be worded better.

@topher96, @bgdnlp What do you think of this:

        issuer (str or iterable): Acceptable value(s) for the issuer of the token.
            If issuer is specified, and the "iss" claim is included in the token claim
            set, then the "iss" claim must be among the acceptable values from
            the issuer parameter. By default, the "iss" claim is considered to be
            optional, so if the "iss" claim is not included then it is not validated,
            regardless of the issuer parameter. To change this behavior to
            require and validate the "iss" claim against the issuer parameter,
            set the appropriate values in the options parameter.

and this:

        subject (str): The subject of the token. If subject is specified, and the "sub"
            claim is included in the token claim set, then the "sub" claim must equal
            the subject parameter value. By default, the "sub" claim is considered to
            be optional, so if the "sub" claim is not included then it is not validated,
            regardless of the subject parameter. To change this behavior to require
            and validate the "sub" claim against the subject parameter, set the
            appropriate values in the options parameter.

It's a lot more wordy, but I think it's a lot more clear as to what values to set for issuer and subject, what the implications are, and how to change the behavior with the options parameter.

blag avatar Jan 13 '20 21:01 blag