serhiibuniak-okta
commented
2 years ago @linanova Thank you for posting this issue, sounds reasonable. I'll start work on this improvement soon.
Closed linanova closed 2 years ago
serhiibuniak-okta
commented
2 years ago @linanova Thank you for posting this issue, sounds reasonable. I'll start work on this improvement soon.
serhiibuniak-okta
commented
2 years ago @linanova Version 0.2.3 has been published. I'm closing this issue as resolved. Feel free to reopen this issue or create a new one if your problem exists still.
The token signature is being verified before the claims. As a result, when a token specifies the wrong issuer, validation will waste time requesting the wrong JWKs and will fail with
JWKException: No matching JWKinstead ofJWTClaimsError: Invalid issuer.Since the verification of claims is far less time consuming, could the order be switched so that happens first and validation fails early?
Note: There is a workaround here to use
BaseJWTVerifierto parse the token and useverify_claimsexplicitly to check the issuer before callingverify_access_token, but it would be much cleaner if we could just useAccessTokenVerifier.Thanks!