How to use a jwt.io provisioned token with jwcrypto?
Question:
I am trying to use a jwt.io generated JWT within my python code using jwcrypto with some success. I am saying some success because I am able to retrieve the claims (the wrong way) without validating the signature.
Here’s my code
from jwcrypto import jwt, jwk
jwtIoToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
theJwt = jwt.JWT(jwt=jwtIoToken)
print(theJwt)
print(theJwt.token.objects)
The jwtIoToken value is taken verbatim from the jwt.io. I was expecting to be able to just do a theJwt.claims but it is set to None. My hunch is that I need to validate the signature, but I have no idea how to do it without the key for which I have no clue what jwt.io is using.
Answers:
You can find the key that jwt.io uses in the right column under "VERIFY SIGNATURE".
Unless you add anything different, the default value is "your-256-bit-secret".
When you use that value, you can verify the signature with the code below.
jwcrypto is a bit more complicated to use than pyjwt. Here you first have to initialize a JWK object and create the key from the given secret and then pass the key to the verify(key)-function:
from jwcrypto import jws, jwk
jwtIoToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
key = jwk.JWK().from_password("your-256-bit-secret")
jwstoken = jws.JWS()
jwstoken.deserialize(jwtIoToken)
jwstoken.verify(key)
payload = jwstoken.payload
print(payload.decode())
I am trying to use a jwt.io generated JWT within my python code using jwcrypto with some success. I am saying some success because I am able to retrieve the claims (the wrong way) without validating the signature.
Here’s my code
from jwcrypto import jwt, jwk
jwtIoToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
theJwt = jwt.JWT(jwt=jwtIoToken)
print(theJwt)
print(theJwt.token.objects)
The jwtIoToken value is taken verbatim from the jwt.io. I was expecting to be able to just do a theJwt.claims but it is set to None. My hunch is that I need to validate the signature, but I have no idea how to do it without the key for which I have no clue what jwt.io is using.
You can find the key that jwt.io uses in the right column under "VERIFY SIGNATURE".
Unless you add anything different, the default value is "your-256-bit-secret".
When you use that value, you can verify the signature with the code below.
jwcrypto is a bit more complicated to use than pyjwt. Here you first have to initialize a JWK object and create the key from the given secret and then pass the key to the verify(key)-function:
from jwcrypto import jws, jwk
jwtIoToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'
key = jwk.JWK().from_password("your-256-bit-secret")
jwstoken = jws.JWS()
jwstoken.deserialize(jwtIoToken)
jwstoken.verify(key)
payload = jwstoken.payload
print(payload.decode())