LCORE-1881 follow-up: Migrate authlib.jose usages to joserfc after authlib 1.7.0 upgrade

[coderabbitai]

Background

PR #1536 upgrades authlib from 1.6.9 to 1.7.0 to address a CVE. However, authlib 1.7.0 introduces breaking changes that require follow-up work.

Requested by: @tisnik
Related PR: #1536
Related comment: #1536 (comment)

Problem

authlib 1.7.0 deprecates the authlib.jose module in favor of the standalone joserfc library. Several OAuth2/OIDC modules now internally use joserfc, causing breaking changes in exception handling.

The current codebase in src/authentication/jwk_token.py directly imports from the deprecated authlib.jose module:

• JsonWebKey, JsonWebToken from authlib.jose
• Exception classes: BadSignatureError, DecodeError, ExpiredTokenError, etc. from authlib.jose.errors

In authlib 1.7.0, affected modules now raise joserfc-based exceptions instead of authlib.jose.errors, which may cause silent failures or unhandled exceptions.

Tasks

• Audit src/authentication/jwk_token.py for all authlib.jose imports and usages
• Verify exception handling still works correctly under authlib 1.7.0's joserfc integration (run tests with the new version)
• Either:
  • Update exception imports to use joserfc.errors equivalents (e.g., replace from authlib.jose.errors import JoseError with from joserfc.errors import JoseError), or
  • Migrate token handling code fully to use joserfc APIs directly
• Update pyproject.toml floor from authlib>=1.6.0 to authlib>=1.7.0 to match the pinned version in requirements.hashes.source.txt
• Update/add tests to cover joserfc error class behavior

References

• authlib 1.7.0 changelog
• authlib.jose migration guide
• joserfc migration from authlib
• joserfc error classes