Let the unverified paylod be read #272

frtrotta · 2022-02-24T18:06:55Z

frtrotta
Feb 24, 2022

Use case

The JWT is signed with RS256 algorithm and contains the kid claim.
The corresponding key is not available, but it can be obatined via a public endpoint.

Issue

How to access the unverified payload as to read the kid claim, to obtain the key for subsequent verification?

simo5 · 2022-04-26T22:00:49Z

simo5
Apr 26, 2022
Maintainer

given a JWT you can do this:

from jwcrypto import jwt, jws
Token = 'eyJhbGciOiJIUzI1NiIsImtpZCI6Il8yRmZjZ1BJZjFnYlA4bVp5eXUwV2YxcnhMQWNPRUFMa29ELXdIS1E1NVEifQ.eyJpbmZvIjoiSSdtIGEgc2lnbmVkIHRva2VuIn0.Z7A0Dlc_SncDvNp4fcPp3qfxzm_u7TfjJVTHage7NMc'

jwtok = jwt.JWT(jwt=Token)
if isinstance(jwtok.token, jws.JWS):
    kid = jwtok.token.jose_header.get('kid')
if kid:
   # fetch key
   # and then either
   jwtok.token.verify(key)
   # or regenerate with
   jwtok = jwt.JWT(jwt=Token, key=key)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Let the unverified paylod be read #272

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Let the unverified paylod be read #272

Uh oh!

Uh oh!

frtrotta Feb 24, 2022

Use case

Issue

Replies: 1 comment

Uh oh!

simo5 Apr 26, 2022 Maintainer

frtrotta
Feb 24, 2022

simo5
Apr 26, 2022
Maintainer