-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
On the surface, this may look like a potentially incompatible change because we remove `leeway` from the passed `jwt_params`. However, those are passed to `options` and `leeway` isn't a supported value there for pyjwt, so the change is in effect strictly additive. pyjwt source has a comment indicating that `leeway` might be added to `options` in the future (it would make sense), along with values we control like `audience`. For the time being, however, this makes sense as a mechanism for passing `leeway` for JWT handling in the SDK. Because the same `leeway` is used for the `iat`, `nbf`, and `exp` claims, we can check that `leeway` is passed correctly by using it to make a very old `exp` claim pass validation in our tests. A new default is set for `leeway` of 0.5s internally. This is not part of the `decode_id_token` docs -- kept as an implementation detail -- but it makes the default behavior slightly more tolerant of clock drift. As such, this part of the change is documented as a fix in the changelog, whereas the rest is an addition.
- Loading branch information
Showing
3 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
changelog.d/20230719_120125_sirosen_support_jwt_leeway.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
Added | ||
~~~~~ | ||
|
||
- The ``jwt_params`` argument to ``decode_id_token()`` now allows ``"leeway"`` | ||
to be included to pass a ``leeway`` parameter to pyjwt. (:pr:`NUMBER`) | ||
|
||
Fixed | ||
~~~~~ | ||
|
||
- ``decode_id_token()`` defaulted to having no tolerance for clock drift. Slight | ||
clock drift could lead to JWT claim validation errors. The new default is | ||
0.5s which should be sufficient for most cases. (:pr:`NUMBER`) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters