Closed woodruffw closed 1 year ago
Oh, I see now that each PyJWK
also has a key
attribute, which provides a concrete Algorithm
instance:
https://github.com/jpadilla/pyjwt/blob/777efa2f51249f63b0f95804230117723eca5d09/jwt/api_jwk.py#L60
The documentation implies that this should work:
https://pyjwt.readthedocs.io/en/stable/usage.html#retrieve-rsa-signing-keys-from-a-jwks-endpoint
...but I'm not sure how that makes it through prepare_key
, since it's called unconditionally and doesn't include an instance check for its own type. I'll experiment and find out.
Ah, from_jwk
doesn't return an Algorithm
subclass, but an instance of the actual underlying cryptography
key type (e.g. _RSAPublicKey
).
So, PyJWK.key
should always work. Sorry for the stream of consciousness here!
IMO it would still be a nice improvement to the public APIs to allow PyJWK
as a top-level type, or at least to adjust the hints to emphasize that cryptography
's key types are supported.
I guess we should close this now?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
First of all, thanks for
pyjwt
!I'm implementing the consumer side of an OIDC flow, with the verification keys being retrieved periodically from the OIDC provider's JSON Web Key (JWK) set. I then turn each JWK's contents into this library's
PyJWK
type.Expected Result
For verification, I'm doing something like this:
...where
key
is aPyJWK
.I expect this to succeed and return the signed claim dictionary (assuming
key
is valid).Actual Result
Instead, I get a
TypeError
with the following message:Expecting a PEM-formatted key.
I traced this down to
algorithms.py
, where the key is expected to be in PEM format for RSA keys:https://github.com/jpadilla/pyjwt/blob/777efa2f51249f63b0f95804230117723eca5d09/jwt/algorithms.py#L294C15-L295
...which made me check the types for the
jwt.decode
API, where I realized that this wasn't supported to begin with 😅https://github.com/jpadilla/pyjwt/blob/777efa2f51249f63b0f95804230117723eca5d09/jwt/api_jwt.py#L182-L198
Request
So, my feature request: could
jwt.decode
acceptPyJWK
instances for thekey=
parameter?I think most of the scaffolding for this is already in place: the
Algorithm
ABC already has afrom_jwk
classmethod, so each concrete implementation could use it in its concreteprepare_key
implementation. From there, the top-level signature(s) could be broadened fromstr | bytes
tostr | bytes | PyJWK
.Alternatives considered
Given that the top level
decode
API only accepts PEM-encodedstr
orbytes
objects, I'm not sure if there's a clean alternative to this.I could do something hacky and manually re-encoded the
PyJWK
as a PEM-encoded key, potentially with the help of thecryptography
APIs. But that seems error prone 🙂