Should at_hash claim verification fail when missing from JWT?

[leplatrem]

It looks like at_hash in JWT payload is optional (see http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken).

However, in python-jose, when both id_token and access_token parameters are specified, decoding a JWT that has no at_hash claim raises an error (at_hash claim missing from token)
https://github.com/mpdavis/python-jose/pull/30/files#diff-b106d01229785c64375df96ca4b3f58cR422

Shouldn't it be acceptable since the spec says it's optional?

Obviously we can disable at_hash verification with the appropriate decode option, but we find it useful to perform claims verification on JWT that have it or not with the same code. Maybe with a allow_missing_at_hash option or something?

Huge thanks for this lib 😻

[mpdavis]

You are correct, based on the spec, that shouldn't fail on a missing at_hash.

That shouldn't be too hard to fix up.

[manuel-koch]

Any chance this change (#76) can be released to PyPi ?
Most recent available version on PyPi is 3.0.1 from Aug 2018 and the fix seems to have been merged to master in Nov 2018.

[carletes]

Would it be possible to have this change available through PyPI in a new release?

I'm now doing a pip install git+https://github.com/mpdavis/python-jose, but it would be great to have this in PyPI.