Reputation: 3564
PyJWT returning invalid token signatures
I'm using PyJWT==1.4.2 to generate tokens that I intend to use for Firebase authentication.
Unfortunately I'm not able to use any of the third-party Python Firebase libraries, and even if I could I had the same difficulty when I tried with FirebaseTokenGenerator.
Inside of my API, I have a function for generating a token for a username.
118 def generate_token(self, username):
119 payload = {
120 'something': 'Here',
121 }
122 secret = "TESTSECRET"
123 token = jwt.encode(
124 payload,
125 secret,
126 algorithm='HS256')
127 return token
An example of a token I get from this function is:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzb21ldGhpbmciOiJIZXJlIn0.fpIMSRJ3AAL30LIDwHJM9ZOumdRzS7yooiiUgMPms2Y
Unfortunately, this is not a valid token. Online resource such as https://jwt.io/ are telling me that the signature portion is invalid.
Not sure if this is further helpful info, but when I try decoding the token I get the following:
b'{"alg":"HS256","typ":"JWT"}{"something"[83 chars]\x88'
Any thoughts on what I might be doing wrong?
Upvotes: 12
Views: 28807
Answers (5)
Reputation: 90
in any case someone use it like me and create token with this methood
from flask_jwt_extended import create_access_token
access_token = create_access_token(identity=access_token)
you shold add in your app.py
app.config['algorithms'] = ["HS256"]
I'm using PyJWT 2.1.0
Upvotes: 0
Reputation: 33
I guess with the latest version of PyJWT while decoding you need to use the algorithm.
I was facing the same issue. Solved it using the algorithm parameter. The PyJwt version I'm using is 2.0.1. Below is the sample code. Please try and let me know if it works.
payload = jwt.decode("YOUR_JWT_TOKEN","YOUR_SECRET_KEY", algorithms=["HS256"])
Upvotes: 2
Reputation: 116
example_payload = {
'public_id': user.public_id,
'exp': datetime.datetime.utcnow()+datetime.timedelta(minutes=30)
}
For ENCODING use
token = jwt.encode(example_payload,app.config['SECRET_KEY'],algorithm="HS256")
For DECODING use
data = jwt.decode(token, app.config['SECRET_KEY'], algorithms=["HS256"])
basically just adding the ALGORITHM and ALGORITHMS=[] parts... otherwise it gave me error (token invalid for operations after the log-in), but this fixed it.
In Python3 you don't need the ".decode('UTF-8')" after "jwt.encode()": it does it for you.
Also check you don't have both jwt and PyJWT packages:
pip3 list
if you have both jwt and PyJWT installed then do:
pip3 uninstall jwt
pip3 uninstall PyJWT
pip3 install PyJWT
re-run your app
Upvotes: 7
Reputation: 57658
That is indeed a valid token, if you go to jwt.io and paste that token and then update the secret used to verify it to be the same you used to generate the token then the tool will indicate that the signature is valid.
By default, jwt.io tries to validate the signature using the HS256 algorithm and the default secret of secret. You're indeed creating a JWT using the HS256 algorithm so the only thing you need to do to check if it's valid is to update the secret input box to use TESTSECRET.
Also, the signature component of JWT is raw binary data that may not display correctly if you try to decode it to text. For a bit more on how JWT's work you can check Get Started with JSON Web Tokens.
Upvotes: 13
Related Questions
- can't decode JWT token
- PyJWT get_signing_key_from_jwt throws PyJWKError: Unable to find a algorithm for key
- Decode Firebase JWT in Python using PyJWT
- jwt.exceptions.DecodeError: Invalid crypto padding
- Verify the JWT token signature without decoding it in the PyJWT library
- How to use pyJWT to verify signature on this JWT?
- PyJWT raises Signature verification failed
- Jwt Decode using PyJWT raises Signature verification failed
- How to validate a firebase token with python_jwt
- Firebase JWT library can't verify Python JWT token