Open cloudspeak opened 3 years ago
Hey @cloudspeak,
It looks like you are passing in a private key to the verify
function and we aren't properly extracting the public key information from that JWK in some of our backends, including the cryptography
backend. I am able to get it to work by simply removing some of the private key material.
del key['d']
jwt.decode(
token=token,
key=key,
algorithms=[key.get("alg")],
)
Most of the time, users are verifying tokens with only a public key, and not the full key material. However, I agree that it is a bug. All of the data necessary to verify the token is being provided in the key, we just aren't properly extracting it.
Thanks @mpdavis, I have verified this was exactly my problem.
I am unable to successfully validate any tokens when the
cryptography
backend is installed. Consider this example:Clearly, the
decode
method should not fail in this case, and when I installpython-jose
by itself, it does not. However, if I install thecryptography
package with poetry:The decode method now throws a
JWSSignatureError
with the messageSignature verification failed.
even though I haven't changed the code at all. I tried a few different encryption algorithms and it seems both RSA and EC are affected, but oct is not (although this is not sufficient for my purposes).Frustratingly, I don't actually care which backend is used, but I have some other packages which require
cryptography
so I can't stoppython-jose
from using it.As far as I can see this is a bug. Can anyone see something I'm doing wrong or have any ideas of a workaround? Many thanks.
Here is some detail about my environment: