## Security Flaw: TokenValidationConfig.require_https Flag is Dead Code, Misleading Users on HTTP Support
A critical security configuration flag in the token validation system is non-functional, creating a dangerous mismatch between user expectations and system behavior. The `require_https` boolean field on the `TokenValidationConfig` model is never read by the underlying validation pipeline. Users who explicitly set `require_https=False` in the belief they are enabling HTTP support for discovery are misled; the system will still enforce strict HTTPS, causing discovery to fail.

Evidence confirms the field is dead code. Searches across the core token validation modules—`sync/token_validation.py`, `aio/token_validation.py`, and `core/token_validation_logic.py`—return zero references to `require_https`. The flaw occurs because the `validate_token` function calls `_get_disco_response()`, which internally uses `get_discovery_document()` without passing any policy. This results in the function always defaulting to `DiscoveryPolicy(require_https=True)`, completely ignoring the user's configuration.

The issue is compounded by its presence in test harnesses, masking the problem. The conformance harness at `conformance/app.py:525` also sets `require_https=False`, but this setting is equally inert. The harness functions only because it passes a custom `http_client` with `verify=False`, not because the configuration flag works. This creates a significant security and reliability risk, as developers relying on the documented configuration may deploy systems with unexpected and brittle authentication failures.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, software bug, authentication, openid connect, dead code
- **Credibility**: unverified
- **Published**: 2026-04-15 02:22:24
- **ID**: 64686
- **URL**: https://whisperx.ai/en/intel/64686