I'd like to temporarily enable the none algorithm to create unsigned JWTs as part of my unit tests. I didn't manage to do this, can you please add an info (or a function) to do this? Or add a dedicate encodeUnsignedJWT function?

PR #45 changed version range of cryptography to cryptography >= 3.1, < 36.0. The new range is still problematic. Cryptography has adopted a new version scheme. New major version will be released more often. I expect release 36.0.0 in a couple of days. You can find more details in pyca/cryptography#6345 .

Could you please relax or remove the upper bound?

Thanks to this bug in pip, installing pyjwt and jwt at the same time causes a whole lot of issues with no warning whatsoever to the poor user. Please see pypa/pip#4625 and jpadilla/pyjwt#282 for details.

And pretty please consider talk with the author of the other package and agree on a unique namespace.

I want to encode with jwt.encode but I got this error.

In your example code you load a public key from rsa_public_key.json. How is this JSON file generated?

I have no problems generating a PEM from the private key for signing. But how to generte the input for verifying?

Getting this error right now.

Using:

                        jwtObject = JWT()
			with open('private_key', 'rb') as fh:
				salt = jwk_from_pem(fh.read())
			jwt = jwtObject.encode(user, salt, 'RS256')
			with open('public_key', 'r') as fh:
				salt = jwk_from_pem(fh.read())
			test = jwtObject.decode(jwt, salt)
			print(test)

On Mac OS 10.13.5, python-jwt will install via pip to a python2 installation, seemingly successfully (see below). Installing to a python3 installation using pip3 works as expected. Installing to python2 under Ubuntu 16.04 fails at building wheel for cryptography step. Seems like a more robust version check is needed.

(test-venv) username@hostname:~/test-venv$ python --version
Python 2.7.10
(test-venv) username@hostname:~/test-venv$ pip install jwt
Collecting jwt
Collecting cryptography==1.7.2 (from jwt)
  Using cached https://files.pythonhosted.org/packages/51/d9/91266ca5bc54de4882d8a2e836a3038e4cb9a1cc189a9c745516dc685ea1/cryptography-1.7.2-cp27-cp27m-macosx_10_6_intel.whl
Collecting typing==3.5.3.0 (from jwt)
Collecting six>=1.4.1 (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Requirement already satisfied: setuptools>=11.3 in ./lib/python2.7/site-packages (from cryptography==1.7.2->jwt) (40.0.0)
Collecting pyasn1>=0.1.8 (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/a0/70/2c27740f08e477499ce19eefe05dbcae6f19fdc49e9e82ce4768be0643b9/pyasn1-0.4.3-py2.py3-none-any.whl
Collecting cffi>=1.4.1 (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/7e/4a/b647e46faaa2dcfb16069b6aad2d8509982fd63710a325b8ad7db80f18be/cffi-1.11.5-cp27-cp27m-macosx_10_6_intel.whl
Collecting enum34 (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/c5/db/e56e6b4bbac7c4a06de1c50de6fe1ef3810018ae11732a50f15f62c7d050/enum34-1.1.6-py2-none-any.whl
Collecting ipaddress (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/fc/d0/7fc3a811e011d4b388be48a0e381db8d990042df54aa4ef4599a31d39853/ipaddress-1.0.22-py2.py3-none-any.whl
Collecting idna>=2.0 (from cryptography==1.7.2->jwt)
  Using cached https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl
Collecting pycparser (from cffi>=1.4.1->cryptography==1.7.2->jwt)
Installing collected packages: six, pyasn1, pycparser, cffi, enum34, ipaddress, idna, cryptography, typing, jwt
Successfully installed cffi-1.11.5 cryptography-1.7.2 enum34-1.1.6 idna-2.7 ipaddress-1.0.22 jwt-0.5.2 pyasn1-0.4.3 pycparser-2.18 six-1.11.0 typing-3.5.3.0
(test-venv) username@hostname:~/test-venv$ python
Python 2.7.10 (default, Oct  6 2017, 22:29:07) 
[GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.31)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/username/test-venv/lib/python2.7/site-packages/jwt/__init__.py", line 17, in <module>
    from .jwk import (
  File "/Users/username/test-venv/lib/python2.7/site-packages/jwt/jwk.py", line 60
    def is_sign_key(self) -> bool:
                          ^
SyntaxError: invalid syntax

The various assertions in the codebase that assert isinstance(..., str) will behave differently in Python 2.x and Python 3.x. The assertions may work now on tested examples but their behaviour is different. In Python 2.x it'll assert that a sequence of bytes is passed in wheres in Python 3.x it'll assert a Unicode string is passed in. So these assertions should be adapted to use basestring instead.

AttributeError: 'dict' object has no attribute '_jws'

got this error :

File "E:\github\MyGits\TDA\rest_server_sql.py", line 113, in login
token = jwt.JWT.encode({'public_id' : user.public_id, 'exp' : datetime.datetime.utcnow() + datetime.timedelta(minutes=30)}, app.config['SECRET_KEY'])
File "E:\github\MyGits\TDA\venv_tda\lib\site-packages\jwt\jwt.py", line 44, in encode
return self._jws.encode(message, key, alg, optional_headers)
AttributeError: 'dict' object has no attribute '_jws'

while generating token:
token = jwt.JWT.encode({'public_id' : user.public_id, 'exp' : datetime.datetime.utcnow() + datetime.timedelta(minutes=30)}, app.config['SECRET_KEY'])

Please provide a support for cryptography package in newest version (2.*).

Requirement cryptography<2.* causes dependency clash in our project.

Hi everyone, i faced with problem, which can't let me perform makemigrations when i'm using JWT.

The error is:
from jwt import JWT, jwk_from_pem ImportError: cannot import name JWT

In the file i just import JWT & jwk_from_pem
from jwt import JWT, jwk_from_pem
then using jwt = JWT()

In the settings.py
INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', ..., 'rest_framework', 'jwt', ..., ]

What the cause of the error above?

Trying to decode a jwt token which was encrypted with RS256

res = jwt.decode(
    jwt=token,
    key=SECRET,
    algorithms=["ES256","RS256",],
    options={
        "verify_signature": True,
        "require": get_required_fields(),
    }
)

getting this error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/opt/venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 168, in decode
    decoded = self.decode_complete(
  File "/opt/venv/lib/python3.10/site-packages/jwt/api_jwt.py", line 120, in decode_complete
    decoded = api_jws.decode_complete(
  File "/opt/venv/lib/python3.10/site-packages/jwt/api_jws.py", line 202, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "/opt/venv/lib/python3.10/site-packages/jwt/api_jws.py", line 300, in _verify_signature
    if not alg_obj.verify(signing_input, key, signature):
  File "/opt/venv/lib/python3.10/site-packages/jwt/algorithms.py", line 377, in verify
    key.verify(sig, msg, padding.PKCS1v15(), self.hash_alg())
TypeError: _EllipticCurvePublicKey.verify() takes 4 positional arguments but 5 were given

versions:

# pip freeze | grep JWT
PyJWT==2.6.0
# pip freeze | grep cryptography
cryptography==38.0.3

Hello,

There is a conflict between this package and the PyJWT (https://github.com/jpadilla/pyjwt), both packages are installed in the /dist-packages/jwt.

It could be good if the two teams could come up with some solution? Or can this package installed in a different way?

Kind regards
Attila

I have python 3.6.1. and jwt 0.5.1
I'm getting an import error. I don't know why.

File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 72, in get
   return request('get', url, params=params, **kwargs)
 File "/usr/local/lib/python3.6/dist-packages/requests/api.py", line 58, in request
   return session.request(method=method, url=url, **kwargs)
 File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 504, in request
   prep = self.prepare_request(req)
 File "/usr/local/lib/python3.6/dist-packages/requests/sessions.py", line 436, in prepare_request
   hooks=merge_hooks(request.hooks, self.hooks),
 File "/usr/local/lib/python3.6/dist-packages/requests/models.py", line 306, in prepare
   self.prepare_auth(auth, url)
 File "/usr/local/lib/python3.6/dist-packages/requests/models.py", line 543, in prepare_auth
   r = auth(self)
 File "/usr/local/lib/python3.6/dist-packages/requests_oauthlib/oauth1_auth.py", line 88, in __call__
   unicode(r.url), unicode(r.method), None, r.headers)
 File "/usr/local/lib/python3.6/dist-packages/oauthlib/oauth1/rfc5849/__init__.py", line 314, in sign
   ('oauth_signature', self.get_oauth_signature(request)))
 File "/usr/local/lib/python3.6/dist-packages/oauthlib/oauth1/rfc5849/__init__.py", line 151, in get_oauth_signature
   sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
 File "/usr/local/lib/python3.6/dist-packages/oauthlib/oauth1/rfc5849/signature.py", line 505, in sign_rsa_sha1_with_client
   return sign_rsa_sha1(base_string, client.rsa_key)
 File "/usr/local/lib/python3.6/dist-packages/oauthlib/oauth1/rfc5849/signature.py", line 496, in sign_rsa_sha1
   alg = _jwt_rs1_signing_algorithm()
 File "/usr/local/lib/python3.6/dist-packages/oauthlib/oauth1/rfc5849/signature.py", line 473, in _jwt_rs1_signing_algorithm
   import jwt.algorithms as jwtalgo
 File "/usr/local/lib/python3.6/dist-packages/jwt/algorithms.py", line 5, in <module>
   from .exceptions import InvalidKeyError
ImportError: cannot import name 'InvalidKeyError'

Trying to import jwt==0.5.4 in Py2.7:

Python 2.7.12 (default, Nov 12 2018, 14:36:49) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import jwt
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/johnli/.local/lib/python2.7/site-packages/jwt/__init__.py", line 17, in <module>
    from .jwa import std_hash_by_alg
  File "/home/johnli/.local/lib/python2.7/site-packages/jwt/jwa.py", line 31
    def std_hash_by_alg(alg: str) -> Callable[[bytes], object]:
                           ^
SyntaxError: invalid syntax

Any reason this depends on an older cryptography package?

The install_requires value in setup.py does not specify the exact versions (dependency==0.1.0) and / or version bounds (dependency<=0.2). This means that someone could install this project a year from now and it may not work because a dependency could have introduced a backwards incompatible change. It's therefore better to specify the versions and upgrade them yourself when you've verified that a newer version of a dependency works fine with this project.

Rationale

AbstractJWKBase so far is just a placeholder class that raise not implemented if a method is called in a subclass that doesn't implement the given method, this is exactly why ABC classes in python are for, therefore we should move it that way.

https://github.com/GehirnInc/python-jwt/blob/master/jwt/jwk.py#L53

Would be nice if the header would be included in the JWT#decode method. If not, it'd be convenient to have a get_unverified_headers method on the JWT class.

I'm upgrading an out-of-date application from 0.3.x to 1.0, and I don't understand how to use JWKS now? Previously you could supply a JWKSet object to JWT and it would automatically fetch the correct key based on the keyid, but I don't see any methods in this codebase any more that call the JWKSet's filter_keys method. Am I missing something?

Change required due to the collections interface starting with Python 3.10.

suggested patch - change this

from collections import Mapping

to this

try:
    from collections.abc import Mapping
except ImportError:
    from collections import Mapping

I am getting this error while generating web token.

Python Version: 3.6
JWT Version: 0.5.2

The cryptography package has a CVE assigned to it for versions <= 2.9.2. Whilst jwt may not be directly affected, other packages that import cryptography may be.
Would it be possible to upgrade to 3.x?

Please update cryptography dependency, because when building cryptography==1.7.2, the package fails (recent versions of openssl - 1.1.0g). I saw that in newer versions of cryptography the problem does not occur.

python version : Python 3.7.9
jwt version: 1.3.1

how to solve

There is no list of acceptable algos in decode method and attacker can forge token with none algo and it will be valid.

The README states that symmetric algorithms are supported but I haven't been able to figure out how to decode them with this library. Either I'm missing something or this hasn't been implemented yet.

Either way, appreciate any help on this.