fix: migrate authlib.jose to joserfc (#1197)

[MatthewJamisonJS]

Description

Swaps authlib.jose for joserfc — authlib's JOSE-only successor — in the two files that import it:

• codecarbon/cli/auth.py (_validate_access_token)
• carbonserver/.../oidc_auth_provider.py (_decode_token JWKS fallback)

authlib stays a dependency for OAuth2 primitives (OAuth2Session, starlette OAuth, PKCE, generate_token). Only authlib.jose moves.

Call translation:

• JsonWebKey.import_key_set → KeySet.import_key_set
• jose_jwt.decode(token, keyset) returns a Token with .claims as a plain dict
• claims.validate() → jose_jwt.JWTClaimsRegistry().validate(token.claims) (same defaults: exp/nbf/iat, no leeway)

Related Issue

Resolves #1197.

Motivation and Context

codecarbon --version emits AuthlibDeprecationWarning: authlib.jose module is deprecated, please use joserfc instead. joserfc is authlib's own recommended replacement (https://jose.authlib.org/en/). Migrating now removes the warning and keeps us compatible past authlib 2.0.

How Has This Been Tested?

• Read joserfc/_rfc7519/claims.py against authlib/jose/rfc7519/claims.py to confirm same defaults (now=int(time.time()), leeway=0, same exp/nbf/iat checks, same ExpiredTokenError).
• tests/cli/test_cli_auth.py: 18/18. Patch targets updated; test_validate_access_token_valid now uses a realistic claims dict so JWTClaimsRegistry actually runs; added test_validate_access_token_expired_returns_false.
• carbonserver/tests/api/service/test_auth_provider.py: 2/2. Added test_decode_token_falls_back_to_jwks_when_fief_fails — the JWKS path had no prior coverage.
• uv run task test-api-unit: 86 passed, 1 skipped, 1 xfailed.
• uv run codecarbon --version: warning gone.
• pre-commit clean.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

AI Usage Disclosure

• 🟥 AI-vibecoded
• 🟠 AI-generated
• ⭐ AI-assisted — I drove file selection, the equivalence check, and the decision to keep authlib; AI helped with the joserfc API translation and test scaffolding.
• ♻️ No AI used.

Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the docs/how-to/contributing.md document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.90%. Comparing base (08dcc1b) to head (f8ecb27).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1199   +/-   ##
=======================================
  Coverage   88.90%   88.90%           
=======================================
  Files          45       45           
  Lines        4301     4301           
=======================================
  Hits         3824     3824           
  Misses        477      477           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[benoit-cty]

LGTM.
@SaboniAmine or @inimaz as it is security related, what do you think ?

[benoit-cty]

Copilot review :

I don’t see a new security regression in PR 1199.
The change is a straight JOSE-library migration in auth.py:100 and oidc_auth_provider.py:57: it still verifies tokens against JWKS, still rejects expired/not-yet-valid claims, and the added tests cover the expired-token path plus the JWKS fallback path in test_cli_auth.py:92 and test_auth_provider.py:5. GitHub checks are green, including CodeQL and the test suite.
The only caveat is a pre-existing one: the CLI still treats auth-server network failures as non-fatal and falls through to the API for the final decision. That behavior predates this PR, so it’s not a new issue from the migration.