search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
5.1k stars 682 forks source link

Remove algorithm parameter overwrite in PyJWS.encode #943

Closed EnriGaci closed 5 months ago

EnriGaci commented 8 months ago

Summary.

I want to test that my application is failing when it is trying to validate a token signed with the wrong algorithm. Since this line #https://github.com/jpadilla/pyjwt/blob/f86b8b6ce670e40f1ef037b70ac6b4c682e8ac6f/jwt/api_jws.py#L118 overwrites the algorithm parameter I pass, it is makes it impossible to do this and invalidates the existence of the algorithm parameter.

My use case is this

  1. Create a header with 'alg' = 'RS256'
  2. Encode a token using PyJWT.encode with algorithm="HS256"

Expected Result

The token generated to be encoded with algorithm="HS256"

Actual Result

The token generated is encoded with "RS256"

Reproduction Steps

secrete_key = "some_secret"
jwt.encode({"name1":"value1"}, secret_key.encode('utf-8'), algorithm="HS256", headers={'alg': "RS256"})

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": "42.0.2"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.7.6"
  },
  "platform": {
    "release": "10",
    "system": "Windows"
  },
  "pyjwt": {
    "version": "2.8.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

github-actions[bot] commented 6 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days