JWTAuthBackend RS256 algorithm verification error

[moham]

Hi,

In Auth backend: jwt_auth = JWTAuthBackend(lambda token: None, private_key, algorithm='RS256') token = jwt_auth.get_auth_token({"uid": "123"})

In Application backend: auth_middleware = FalconAuthMiddleware(JWTAuthBackend(User.user_loader, public_key, algorithm='RS256')) app = falcon.API(middleware=[auth_middleware])

Error in Application backend: { "title": "401 Unauthorized", "description": "The specified alg value is not allowed" }

[jcwilson]

That's odd. This middleware isn't doing anything too crazy with the keys or algorithm values, so I'm having trouble isolating this issue to a bug in the JWTAuthBackend implementation.

Can you try some things for me? 1) First, can you generate an RS256 key pair or cert and provide it here or make it available to me somehow (md5sums of any files would be great, too)? 2) Use those credentials to jwt.encode() and then jwt.decode() a token without using JWTAuthBackend. This is just to test that jwt and your credentials are functional and prove that the issue is in JWTAuthBackend code.

If the encode/decode test passes, but you still get the failure behavior with JWTAuthBackend, I should be able to dig in a bit and hopefully resolve this.

[jcwilson]

I stumbled on this thread, but I'm not sure how relevant it is yet: https://github.com/jpadilla/pyjwt/issues/236

[moham]

With PyJWT==1.7.1 everything is ok: import jwt with open('private.pem') as pv: p = pv.read() with open('public.pem') as pb: b = pb.read() en = jwt.encode({'m':'n'}, p, algorithm='RS256') jwt.decode(en, b, algorithm='RS256') {'m': 'n'}

[moham]

Solved! falcon-auth 1.1.0, Installed from pip I think in falcon_auth/backends.py line 244, must be: return jwt.encode(payload, self.secret_key, algorithm=self.algorithm, Instead of: return jwt.encode(payload, self.secret_key,

Please update falcon-auth in pip repository.