Comments (10)
Following this to get a :
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
and then setting this to JWT_SECRET_KEY
seems to do the trick.
from pyjwt.
This might be related to #90
from pyjwt.
The issue is mentioned here: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#pem and also talked about in #82.
The solution is to load the certificate using:
key = cryptography.x509.load_pem_x509_certificate(PUBLIC_KEY, default_backend()).public_key()
key = cryptography.hazmat.primitives.serialization.load_pem_public_key(key, backend=default_backend())
from pyjwt.
Still not clear with this if there's something we can do to prevent this confusion.
from pyjwt.
You could make this logic try to fall back one to one more attempt. You could add some additional logic to look for the begin/end public key string as well.
from pyjwt.
Interested in seeing a PR for this.
@wbolster @mark-adams I'd love your thoughts on this.
from pyjwt.
I think we should update the documentation to indicate how to load a key from an x509 certificate.
I don't think adding more fallback logic is the right approach. The API expects a key and it works when you pass in a key. A certificate is way more than a key so it's a bit outside the scope of our code and would only add complexity.
It should be the consumer's responsibility to make sure they are passing in a key and not something else. If we do something like this, why not check to see if it is ZIP compressed, or embedded in a Word doc, or maybe a reversed string? :)
from pyjwt.
I would say more important than the fallback logic would just be documentation.
from pyjwt.
Sold! If anyone wants to take a stab at that, pull requests are welcome.
from pyjwt.
+1 on having this as documentation. Adding magic detection logic to the jwt
API isn't the right way imho, as @mark-adams pointed out.
from pyjwt.
Related Issues (20)
- Why not sort_keys during json.dump ? HOT 2
- Unable to catch errors using flask @app.errorhandler HOT 1
- Add parameter for user-supplied timestamp when validating claims HOT 1
- SHA-256 not FIPS-202 compliant and a SHA-3 Update Required by NIST HOT 4
- Cryptography generated EC key is invalid HOT 1
- Ability to disable refresh & retry on `kid` mismatch HOT 4
- Security scan flags up the token being printed HOT 4
- options verify_exp not working HOT 1
- sharing namespace jwt conflict, is this possible to prevent, pip install pyJWT give no warning HOT 3
- Please stop validating that `iat <= now` by default HOT 3
- Got error: Algorithm 'ES256' could not be found. Do you have cryptography installed? HOT 3
- Migration guide for python-jose users HOT 3
- Remove algorithm parameter overwrite in PyJWS.encode HOT 1
- There should be a check on the type of algorithms in signature verification HOT 1
- Decoding fails with "Invalid payload string: must be a json object" when the JSON is an array HOT 1
- https://nvd.nist.gov/vuln/detail/CVE-2024-26130 update cryptography HOT 2
- When is python 3.12 expected to be released as a package on PIP? HOT 2
- Consider cryptography 42.x.x new validation HOT 2
- Make a release 2.9.0? Or create a checklist that contributors can help with? HOT 3
- Minimal example of implementation with encode and decode
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyjwt.