Partial issuer matches instead of InvalidTokenError in 2.10.0

[awoimbee]

Impacts 2.10.0, previous release (2.9.0) is not impacted. Seems like if issuer is given as a string then any partial match is allowed.

Expected Result

InvalidTokenError due to bad iss.

Actual Result

Token is accepted and decoded :grimacing:

Reproduction Steps

This is incomplete:

def decode_token(
    encoded_token: str
) -> dict[str, Any]:
    signing_key = _fetch_jwt_signing_key(encoded_token)
    decode_options = {
        "verify_signature": True,
        "require": ["exp", "iss", "sub", "iat", "aud"],
    }
    return jwt.decode(
        encoded_token,
        key=signing_key.key,
        algorithms=["RS256", "ES256"],
        options=decode_options,
        issuer="https://test.example.com/auth",
    )

decode_token({
    ...,
    "iss": "http"
})

Note: this is fixed by replacing issuer="https://test.example.com/auth" by issuer=["https://test.example.com/auth"] (relates to #913).

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "43.0.3"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.12.7"
  },
  "platform": {
    "release": "6.11.8-1-default",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.10.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

[awoimbee]

Caused by #970 that replaced list by Sequence in isinstance.

>>> from collections.abc import Sequence
>>> isinstance("bugged", list)
False
>>> isinstance("bugged", Sequence)
True

[walsha2]

@awoimbee I can confirm this issue as well!

Out of curiosity, what Python version are you using? It seems that this may also be tied to Python version when testing with PyJWT==2.10.0.

For example: the expected InvalidTokenError exception is raised when using 3.12.4 but not on 3.12.7.

# Raises InvalidTokenError
Python 3.12.4 

# Does not raise InvalidTokenError
Python 3.12.7