diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py index 39ea167d5..fc1d822d0 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py @@ -192,8 +192,7 @@ class AuthenticationService: str(current_app.secret_key), algorithms=[SPIFF_GENERATED_JWT_ALGORITHM], audience=SPIFF_GENERATED_JWT_AUDIENCE, - options={"verify_exp": False}, - ) + options={"verify_exp": True}) else: algorithm = str(header.get("alg")) json_key_configs = cls.jwks_public_key_for_key_id(authentication_identifier, key_id) @@ -412,7 +411,7 @@ class AuthenticationService: def decode_auth_token(auth_token: str) -> dict[str, str | None]: """This is only used for debugging.""" try: - payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": False}) + payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": True}) return payload except jwt.ExpiredSignatureError as exception: raise TokenExpiredError( diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py index f1978920b..6534bd65c 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py @@ -77,6 +77,6 @@ class TestOpenidBlueprint(BaseTest): assert "id_token" in response.json assert "refresh_token" in response.json - decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": False}) + decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": True}) assert "iss" in decoded_token assert "email" in decoded_token