Skip to content

Commit 24af4b4

Browse files
committed
Fix marshmellow verison, and prevent jose from verifying access token hash
* Pin marshmellow to a version less than 3. This might be fixed in Netflix#99 * Disable at_hash verification if present in the JWT, since the bless lambda doesn't have access to the a hash of the access token.
1 parent cce9d5c commit 24af4b4

File tree

2 files changed

+5
-3
lines changed

2 files changed

+5
-3
lines changed

bless/aws_lambda/bless_lambda_user.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,8 @@ def lambda_handler_user(
181181
config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_JWK_OPTION),
182182
audience=config.get(JWTAUTH_SECTION, JWTAUTH_AUDIENCE_OPTION),
183183
issuer=config.get(JWTAUTH_SECTION, JWTAUTH_ISSUER_OPTION),
184-
algorithms=config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_ALGORITHM_OPTION)
184+
algorithms=config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_ALGORITHM_OPTION),
185+
options={'verify_at_hash': False}
185186
)
186187
username_claim = config.get(JWTAUTH_SECTION, JWTAUTH_USERNAME_CLAIM_OPTION)
187188
if username_claim not in claims.keys():

setup.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,9 @@
2121
'boto3',
2222
'cryptography',
2323
'ipaddress',
24-
'marshmallow',
25-
'kmsauth'
24+
'marshmallow<3',
25+
'kmsauth',
26+
'python-jose[cryptography]'
2627
],
2728
extras_require={
2829
'tests': [

0 commit comments

Comments
 (0)