Verify JWT Decode

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

@@ -192,8 +192,7 @@ class AuthenticationService:
                 str(current_app.secret_key),
                 algorithms=[SPIFF_GENERATED_JWT_ALGORITHM],
                 audience=SPIFF_GENERATED_JWT_AUDIENCE,
-                options={"verify_exp": False},
+                options={"verify_exp": True})
-            )
         else:
             algorithm = str(header.get("alg"))
             json_key_configs = cls.jwks_public_key_for_key_id(authentication_identifier, key_id)
@@ -412,7 +411,7 @@ class AuthenticationService:
     def decode_auth_token(auth_token: str) -> dict[str, str | None]:
         """This is only used for debugging."""
         try:
-            payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": False})
+            payload: dict[str, str | None] = jwt.decode(auth_token, options={"verify_signature": True})
             return payload
         except jwt.ExpiredSignatureError as exception:
             raise TokenExpiredError(

spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_openid_blueprint.py

@@ -77,6 +77,6 @@ class TestOpenidBlueprint(BaseTest):
         assert "id_token" in response.json
         assert "refresh_token" in response.json
 
-        decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": False})
+        decoded_token = jwt.decode(response.json["id_token"], options={"verify_signature": True})
         assert "iss" in decoded_token
         assert "email" in decoded_token