lepture/authlib

JWTClaims accepts True/False `iat`.

nairb774 opened this issue · 0 comments

Describe the bug

According to https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 the iat field should be a numeric field. Creating a token with iat:true passes validation. This looks to be because _validate_numeric_time returns True for bool inputs.

To Reproduce

A minimal example to reproduce the behavior:

authlib.jose.rfc7519.JWTClaims({"iat": True}, {}).validate()
authlib.jose.rfc7519.JWTClaims({"iat": False}, {}).validate()

Expected behavior

Both of those validate calls should fail similarly to:

>>> authlib.jose.rfc7519.JWTClaims({"iat": "not-a-number"}, {}).validate()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 103, in validate
    self.validate_iat(now, leeway)
  File "/usr/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 207, in validate_iat
    raise InvalidClaimError('iat')
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iat"

Environment:

  • OS: Linux
  • Python Version: Python 3.11.8 (main, Feb 12 2024, 14:50:05) [GCC 13.2.1 20230801] on linux
  • Authlib Version: 1.3.0