search

jpadilla / pyjwt

JSON Web Token implementation in Python
https://pyjwt.readthedocs.io
MIT License
4.99k stars 675 forks source link

Using PYJWKClient.get_signing_key_from_jwt(), getting a 'Expecting a PEM-formatted key' error. #957

Open jmarshall9120 opened 1 month ago

jmarshall9120 commented 1 month ago

Here's the set up for decoding a token from an AWS sandbox. There are no real resources to abuse here. I can tear down the sandbox once the issue is replicated.

pub_key_endpoint = f'https://cognito-idp.{aws_session.region_name}.amazonaws.com/{amplify_outputs["auth"]["user_pool_id"]}/.well-known/jwks.json'
auth_token = 'eyJraWQiOiJIVWliRnBkUjM2MW92QUxRVFdVeGx3V0pOUmc1SEVRQkxsUjEzTWIyejI0PSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIyODYxZTM4MC1mMDMxLTcwMzMtNDc3Ni1jNmRkMzY2MzA5ZmIiLCJjb2duaXRvOmdyb3VwcyI6WyJ0ZW5hbnQiLCJhbGx1c2VycyJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9EQndXVEY1SDgiLCJjbGllbnRfaWQiOiI0ZHI2YzUxOTVkcTJxbTdiYTJ2bmJ1b2E1NSIsIm9yaWdpbl9qdGkiOiI3NmJkNmQ3Yy03NDkxLTRlMWUtOWFkNS0wYzVhNzRmZmI1ZTgiLCJldmVudF9pZCI6ImY0NGIzZmU1LWVhNTctNDdiNC04M2ZhLTc2MGQyYmJiYzZlNSIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE3MTY3MzI1NzUsImV4cCI6MTcxNjgxOTYxOCwiaWF0IjoxNzE2ODE2MDE4LCJqdGkiOiIzYmQ3NThhZS0zNTc5LTQxNjQtODkxMi02ZmY5MjA5MWVmNDQiLCJ1c2VybmFtZSI6IjI4NjFlMzgwLWYwMzEtNzAzMy00Nzc2LWM2ZGQzNjYzMDlmYiJ9.J_iS209k6Nsqmwf2XlK1kOeRCKjY-y6U28MicQTD8LFb3v-sC6sttYVya5kBb_qj3hnIDuXFvH3POlduBJhxiiXE7A3eAA9_09eYqmyna3tuNl_1W5pz_wlR9uhtOdhk0hAQWiaTaDViDjiEO6TPenEat0dz-yQWMp2Fda64yUOHFFiRZj5UsfO6_fUbOFlVzsmgwLhRPb5smIHkB4yFtcs4A1QI_fGyS9cEFTusKyt-JBmmdkfN83i8tiLfZV_IYUj0J5z-_vMSVOTg5yDMjcVCEswX1ZFUkm_FB2aLkAxPJxgzdDVAFSdg1UcITJjcfjFjPwi79quJEoEuYUahIQ'

import jwt
from jwt import PyJWKClient

jwks_client = PyJWKClient(pub_key_endpoint)
signing_key = jwks_client.get_signing_key_from_jwt(actual_auth)
payload = jwt.decode(actual_auth, signing_key, algorithms=['RS256'])

Expected Result

returns decoded token.

Actual Result

TypeError: Expecting a PEM-formatted key.

Reproduction Steps

Entire reproduction given above.

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": "42.0.7"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.9.7"
  },
  "platform": {
    "release": "10",
    "system": "Windows"
  },
  "pyjwt": {
    "version": "2.8.0"
  }
}

This command is only available on PyJWT v1.6.3 and greater. Otherwise, please provide some basic information about your system.

leahein commented 1 month ago

You would need to pass in the value from the key attribute on the signing_key

payload = jwt.decode(actual_auth, signing_key.key, algorithms=['RS256'])