diff options
| author | James E. Blair <jim@acmegating.com> | 2022-11-15 13:52:53 -0800 |
|---|---|---|
| committer | James E. Blair <jim@acmegating.com> | 2022-11-15 13:52:53 -0800 |
| commit | 3780ed548ca033ee78d740443f9ba2baea0e2c4f (patch) | |
| tree | 52299e751b85e1ed10d92fe5f4e7960d7f662a54 /zuul/cmd | |
| parent | 4d555ca675d204b1d668a63fab2942a70f159143 (diff) | |
| download | zuul-3780ed548ca033ee78d740443f9ba2baea0e2c4f.tar.gz | |
Unpin JWT and use integer IAT values
PyJWT 2.6.0 began performing validation of iat (issued at) claims
in https://github.com/jpadilla/pyjwt/commit/9cb9401cc579f11dbb17181e8713f061f8e40ed4
I believe the intent of RFC7519 is to support any numeric values
(including floating point) for iat, nbf, and exp, however, the
PyJWT library has made the assumption that the values should be
integers, and therefore when we supply an iat with decimal seconds,
PyJWT will round down when validating the value. In our unit tests,
this can cause validation errors.
In order to avoid any issues, we will round down the times that
we supply when generating JWT tokens and supply them as integers
in accordance with the robustness principle.
Change-Id: Ia8341b4d5de827e2df8878f11f2d1f52a1243cd4
Diffstat (limited to 'zuul/cmd')
| -rwxr-xr-x | zuul/cmd/client.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/zuul/cmd/client.py b/zuul/cmd/client.py index 98dd56b9d..031b10a1e 100755 --- a/zuul/cmd/client.py +++ b/zuul/cmd/client.py @@ -735,7 +735,7 @@ class Client(zuul.cmd.ZuulApp): print('"%s" authenticator configuration not found.' % self.args.auth_config) sys.exit(1) - now = time.time() + now = int(time.time()) token = {'iat': now, 'exp': now + self.args.expires_in, 'iss': get_default(self.config, auth_section, 'issuer_id'), |