JWTClaims accepts True/False `iat`.
nairb774 opened this issue · 0 comments
nairb774 commented
Describe the bug
According to https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 the iat
field should be a numeric field. Creating a token with iat:true
passes validation. This looks to be because _validate_numeric_time
returns True for bool inputs.
To Reproduce
A minimal example to reproduce the behavior:
authlib.jose.rfc7519.JWTClaims({"iat": True}, {}).validate()
authlib.jose.rfc7519.JWTClaims({"iat": False}, {}).validate()
Expected behavior
Both of those validate calls should fail similarly to:
>>> authlib.jose.rfc7519.JWTClaims({"iat": "not-a-number"}, {}).validate()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 103, in validate
self.validate_iat(now, leeway)
File "/usr/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 207, in validate_iat
raise InvalidClaimError('iat')
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iat"
Environment:
- OS: Linux
- Python Version: Python 3.11.8 (main, Feb 12 2024, 14:50:05) [GCC 13.2.1 20230801] on linux
- Authlib Version: 1.3.0