Do not fail in JWT decode() if at_hash claim is missing

leplatrem · leplatrem · commit 22669734c632 · 2018-02-02T10:11:09.000+01:00
Fixes #75
diff --git a/jose/jwt.py b/jose/jwt.py
@@ -420,12 +420,11 @@ def _validate_at_hash(claims, access_token, algorithm):
     """
     if 'at_hash' not in claims and not access_token:
         return
+    elif access_token and 'at_hash' not in claims:
+        return
     elif 'at_hash' in claims and not access_token:
         msg = 'No access_token provided to compare against at_hash claim.'
         raise JWTClaimsError(msg)
-    elif access_token and 'at_hash' not in claims:
-        msg = 'at_hash claim missing from token.'
-        raise JWTClaimsError(msg)
 
     try:
         expected_hash = calculate_at_hash(access_token,
diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -468,8 +468,8 @@ def test_at_hash_missing_access_token(self, claims, key):
 
     def test_at_hash_missing_claim(self, claims, key):
         token = jwt.encode(claims, key)
-        with pytest.raises(JWTError):
-            jwt.decode(token, key, access_token='<ACCESS_TOKEN>')
+        payload = jwt.decode(token, key, access_token='<ACCESS_TOKEN>')
+        assert 'at_hash' not in payload
 
     def test_at_hash_unable_to_calculate(self, claims, key):
         token = jwt.encode(claims, key, access_token='<ACCESS_TOKEN>')
