search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.08k stars 679 forks source link

Encoded values different after updating to 2.5.0 #806

Closed sanders41 closed 1 year ago

sanders41 commented 1 year ago

Summary.

After updating from 2.4.0 to 2.5.0 we started seeing failing tests in our CI (for example). We have tracked the issue down to the encoded value being different for the value we used to get. I didn't see anything in the change log that would cause this, and looking through the PRs the only thing I saw that may be related is here.

Expected Result

I didn't expect a change in the encoded values.

Actual Result

Got different encoded values when encoding the same strings.

Reproduction Steps

Run the following with pyjwt 2.4.0 and then again with 2.5.0 and the values will be different.

import jwt

data = {"email": "someone@somewhere.com", "phone_number": "352-867-5309"}
encoded_value = jwt.encode(data, "secret", algorithm="HS256")
print(encoded_value)

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": "3.4.8"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.9.14"
  },
  "platform": {
    "release": "5.10.124-linuxkit",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.5.0"
  }
}

Also tested and same results with

{
  "cryptography": {
    "version": "38.0.1"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.7"
  },
  "platform": {
    "release": "21.6.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.5.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

frenck commented 1 year ago

We notice the same thing @ the Home Assistant project.

https://github.com/home-assistant/core/pull/78776 (CI fails for the same reason as above).

jpadilla commented 1 year ago

That's because of sorting header keys introduced in https://github.com/jpadilla/pyjwt/pull/721. What's the use case of JWTs for equality instead of validity?

frenck commented 1 year ago

Clear @jpadilla 👍 It just made alarm bells ring, without a clear reason why. Thanks for the clarification 👍

sanders41 commented 1 year ago

Yes, we have switched to testing validity instead. It was just a surprise to see things fail since we didn't see anything in the change log.