Fix marshmellow verison, and prevent jose from verifying access token hash

* Pin marshmellow to a version less than 3. This might be fixed in Netflix#99
* Disable at_hash verification if present in the JWT, since the bless lambda doesn't have access to the a hash of the access token.

Author: stoggi

bless/aws_lambda/bless_lambda_user.py

@@ -181,7 +181,8 @@ def lambda_handler_user(
                     config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_JWK_OPTION),
                     audience=config.get(JWTAUTH_SECTION, JWTAUTH_AUDIENCE_OPTION),
                     issuer=config.get(JWTAUTH_SECTION, JWTAUTH_ISSUER_OPTION),
-                    algorithms=config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_ALGORITHM_OPTION)
+                    algorithms=config.get(JWTAUTH_SECTION, JWTAUTH_SIGNATURE_ALGORITHM_OPTION),
+                    options={'verify_at_hash': False}
                 )
                 username_claim = config.get(JWTAUTH_SECTION, JWTAUTH_USERNAME_CLAIM_OPTION)
                 if username_claim not in claims.keys():

setup.py

@@ -21,8 +21,9 @@
         'boto3',
         'cryptography',
         'ipaddress',
-        'marshmallow',
-        'kmsauth'
+        'marshmallow<3',
+        'kmsauth',
+        'python-jose[cryptography]'
     ],
     extras_require={
         'tests': [