ProConnect: Don't check issued_at claim

A difference between or serveur clocks causes some ImmatureSignatureError. It' not even mandatory to check it, see jpadilla/pyjwt#939
gip-inclusion · Nov 15, 2024 · d7eeb98 · d7eeb98
1 parent 60f1718
commit d7eeb98
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/itou/openid_connect/pro_connect/views.py b/itou/openid_connect/pro_connect/views.py
@@ -179,6 +179,7 @@ def _get_user_info(request, access_token):
         key=constants.PRO_CONNECT_CLIENT_SECRET,
         algorithms=["HS256"],
         audience=constants.PRO_CONNECT_CLIENT_ID,
+        options={"verify_iat": False},
     )
     return decoded_id_token, None
 

diff --git a/tests/openid_connect/pro_connect/test.py b/tests/openid_connect/pro_connect/test.py
@@ -3,9 +3,11 @@
 import httpx
 import jwt
 import respx
+from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.test import override_settings
 from django.urls import reverse
+from django.utils import timezone
 from django.utils.functional import classproperty
 from pytest_django.asserts import assertContains, assertRedirects
 
@@ -66,7 +68,8 @@ def mock_oauth_dance(
     user_info = oidc_userinfo or OIDC_USERINFO.copy()
     if user_info_email:
         user_info["email"] = user_info_email
-    user_info = user_info | {"aud": constants.PRO_CONNECT_CLIENT_ID}
+    # Put a issued at in the future to ensure we don't check it
+    user_info = user_info | {"aud": constants.PRO_CONNECT_CLIENT_ID, "iat": timezone.now() + relativedelta(hours=1)}
     user_info_jwt = jwt.encode(payload=user_info, key=constants.PRO_CONNECT_CLIENT_SECRET, algorithm="HS256")
     respx.get(constants.PRO_CONNECT_ENDPOINT_USERINFO).mock(return_value=httpx.Response(200, content=user_info_jwt))