Disable at_hash verification (#58)

tokusumi · Jan 6, 2022 · c390134 · c390134
1 parent eb09623
commit c390134
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/fastapi_cloudauth/verification.py b/fastapi_cloudauth/verification.py
@@ -205,7 +205,11 @@ def _verify_claims(self, http_auth: HTTPAuthorizationCredentials) -> bool:
                 "",
                 audience=self._aud,
                 issuer=self._iss,
-                options={"verify_signature": False, "verify_sub": False},  # done
+                options={
+                    "verify_signature": False,
+                    "verify_sub": False,
+                    "verify_at_hash": False,
+                },  # done
             )
         except jwt.ExpiredSignatureError as e:
             if self.auto_error:

diff --git a/tests/test_cognito.py b/tests/test_cognito.py
@@ -311,6 +311,7 @@ def test_extra_verify_id_token():
     # correct
     token = jwt.encode(
         {
+            "at_hash": "some-hash-that-isnt-checked",
             "sub": "dummy-ID",
             "exp": datetime.utcnow() + timedelta(hours=10),
             "iat": datetime.utcnow() - timedelta(hours=10),