Closed linanova closed 2 years ago
@linanova Thank you for posting this issue, sounds reasonable. I'll start work on this improvement soon.
@linanova Version 0.2.3 has been published. I'm closing this issue as resolved. Feel free to reopen this issue or create a new one if your problem exists still.
The token signature is being verified before the claims. As a result, when a token specifies the wrong issuer, validation will waste time requesting the wrong JWKs and will fail with
JWKException: No matching JWK
instead ofJWTClaimsError: Invalid issuer
.Since the verification of claims is far less time consuming, could the order be switched so that happens first and validation fails early?
Note: There is a workaround here to use
BaseJWTVerifier
to parse the token and useverify_claims
explicitly to check the issuer before callingverify_access_token
, but it would be much cleaner if we could just useAccessTokenVerifier
.Thanks!