search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5k stars 675 forks source link

Not reproductible encoding between versions? #871

Closed christophehenry closed 1 year ago

christophehenry commented 1 year ago

A project I work on updated from 2.4.0 to 2.6.0 today and, suddenly, our tests stopped passing. It turns out that some of our tests are checking against the generated JWT and the signature part has changed between 2.4.0 and 2.6.0.

Expected Result

The generated JWT should be consistant between versions.

Actual Result

The signature part of the generated JWT changed between 2.4.0 and 2.6.0 without any other configuration change

Reproduction Steps

pip uninstall pyjwt
pip install -Iv pyjwt==2.4.0
import jwt

id_token = {
    "aud": "w8l&+@iyz^gc%zqg$6xm7cxsui)9m1t_lpr71=8=do_0l3sqih",
    "exp": 1679488464.144009,
    "iat": 1679487269.441549,
    "iss": "http://example.com/",
    "sub": "r^fj^cnr+v+63^kxejxu7$_l*b0jd2b3al+4^p$^dcafld#xd%",
    "nonce": "-6n0=jm*^#aa(6fdo6up-2&5-%q6^evdvh$o&z7l(+xm-edh#9",
}

jwt.encode(id_token, "36gsux75u48j$qgr%4^7^(7a6d3_%=v&k6$(h)2fgvpb49v-ya", algorithm="HS256")

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ3OGwmK0BpeXpeZ2MlenFnJDZ4bTdjeHN1aSk5bTF0X2xwcjcxPTg9ZG9fMGwzc3FpaCIsImV4cCI6MTY3OTQ4ODQ2NC4xNDQwMDksImlhdCI6MTY3OTQ4NzI2OS40NDE1NDksImlzcyI6Imh0dHA6Ly9leGFtcGxlLmNvbS8iLCJzdWIiOiJyXmZqXmNucit2KzYzXmt4ZWp4dTckX2wqYjBqZDJiM2FsKzRecCReZGNhZmxkI3hkJSIsIm5vbmNlIjoiLTZuMD1qbSpeI2FhKDZmZG82dXAtMiY1LSVxNl5ldmR2aCRvJno3bCgreG0tZWRoIzkifQ.9EMrLXrZzHQd-6qvl18o-82M3KBoWLdCIBhAFAtG_mI"
pip uninstall pyjwt
pip install -Iv pyjwt==2.6.0
jwt.encode(id_token, "36gsux75u48j$qgr%4^7^(7a6d3_%=v&k6$(h)2fgvpb49v-ya", algorithm="HS256")

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3OGwmK0BpeXpeZ2MlenFnJDZ4bTdjeHN1aSk5bTF0X2xwcjcxPTg9ZG9fMGwzc3FpaCIsImV4cCI6MTY3OTQ4ODQ2NC4xNDQwMDksImlhdCI6MTY3OTQ4NzI2OS40NDE1NDksImlzcyI6Imh0dHA6Ly9leGFtcGxlLmNvbS8iLCJzdWIiOiJyXmZqXmNucit2KzYzXmt4ZWp4dTckX2wqYjBqZDJiM2FsKzRecCReZGNhZmxkI3hkJSIsIm5vbmNlIjoiLTZuMD1qbSpeI2FhKDZmZG82dXAtMiY1LSVxNl5ldmR2aCRvJno3bCgreG0tZWRoIzkifQ.KjgKoSuwhNrW05SF0twy4tIz-uoGLIATiQLaWAKxntU"

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": ""
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.2"
  },
  "platform": {
    "release": "6.1.18-200.fc37.x86_64",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.6.0"  # or 2.4.0
  }
}
andrewsw commented 1 year ago

We've seen this issue as well, somewhere between 2.4.0 and 2.6.0.

jensjeflensje commented 1 year ago

I think this issue was already inside 2.5.0. I did some digging, and there's already a comment with an explanation: https://github.com/jpadilla/pyjwt/issues/806#issuecomment-1252200704

From this, I think it's safe to just update the tests with new JWTs or change your tests to only test validity :)

andrewsw commented 1 year ago

Nice find @jensjeflensje! Thanks!

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days