Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See also: globus/globus-cli#820
On the surface, this may look like a potentially incompatible change because we remove
leeway
from the passedjwt_params
. However, those are passed tooptions
andleeway
isn't a supported value there for pyjwt, so the change is in effect strictly additive.pyjwt source has a comment indicating that
leeway
might be added tooptions
in the future (it would make sense), along with values we control likeaudience
. For the time being, however, this makes sense as a mechanism for passingleeway
for JWT handling in the SDK.Because the same
leeway
is used for theiat
,nbf
, andexp
claims, we can check thatleeway
is passed correctly by using it to make a very oldexp
claim pass validation in our tests.A new default is set for
leeway
of 0.5s internally. This is not part of thedecode_id_token
docs -- kept as an implementation detail -- but it makes the default behavior slightly more tolerant of clock drift. As such, this part of the change is documented as a fix in the changelog, whereas the rest is an addition.📚 Documentation preview 📚: https://globus-sdk-python--790.org.readthedocs.build/en/790/