The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
BSD 3-Clause "New" or "Revised" License
4.39k
stars
436
forks
source link
JWTClaims accepts True/False `iat`. #641
Open
nairb774 opened 3 months ago
Describe the bug
According to https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 the
iat
field should be a numeric field. Creating a token withiat:true
passes validation. This looks to be because_validate_numeric_time
returns True for bool inputs.To Reproduce
A minimal example to reproduce the behavior:
Expected behavior
Both of those validate calls should fail similarly to:
Environment: