Comments (5)
So, the big question here would be... how would you handle conflict? If a consumer passed in a payload to encode()
that already had "aud" set but they also passed in a value for audience=
I think the best thing in that situation would be to throw an exception. It seems like any other option would result in a confusing API.
from pyjwt.
@wbolster hmm not sure I understand your proposal. Mind showing an example or use case?
from pyjwt.
Code to encode a token, e.g.
payload = {}
token = pyjwt.encode(d, key)
takes no audience=
or issuer=
args, while this does:
payload = pyjwt.decode(token, key, audience='foo', issuer='bar')
This means that application authors need to know internal details of the JWT spec if they want to generate tokens with audience or issuer claims embedded in them, since the only way to do so (currently) is to put aud
and iss
keys (with conforming values) into the payload dict. If applications put invalid data structures into those values, the token will be generated without error, but it will be non-compliant.
I argue that this is a discrepancy between encode/decode, since for decoding pyjwt takes care of the correct interpretation of the JWT spec to validate the audience and issuer claims, while for encoding application authors are on their own, since pyjwt doesn't help at all here.
Please let me know whether I've explained myself better this time. :)
from pyjwt.
@wbolster yeah definitely makes sense now
from pyjwt.
ok feel free to assign this issue to me. no guarantees about time frame but I'll see what I can do :-)
from pyjwt.
Related Issues (20)
- options verify_exp not working HOT 1
- sharing namespace jwt conflict, is this possible to prevent, pip install pyJWT give no warning HOT 3
- Please stop validating that `iat <= now` by default HOT 3
- Got error: Algorithm 'ES256' could not be found. Do you have cryptography installed? HOT 3
- Migration guide for python-jose users HOT 3
- Remove algorithm parameter overwrite in PyJWS.encode HOT 1
- There should be a check on the type of algorithms in signature verification HOT 1
- Decoding fails with "Invalid payload string: must be a json object" when the JSON is an array HOT 1
- https://nvd.nist.gov/vuln/detail/CVE-2024-26130 update cryptography HOT 2
- When is python 3.12 expected to be released as a package on PIP? HOT 4
- Consider cryptography 42.x.x new validation HOT 3
- Make a release 2.9.0? Or create a checklist that contributors can help with? HOT 5
- Minimal example of implementation with encode and decode HOT 1
- Cryptography package, needed, but not as a requirement? HOT 2
- Using PYJWKClient.get_signing_key_from_jwt(), getting a 'Expecting a PEM-formatted key' error. HOT 2
- Implement sub and jti check HOT 1
- Get signing alg from JWT header HOT 1
- jwk_from_pem not found in jwt HOT 1
- Error `TypeError: ECPublicKey.verify() takes 3 positional arguments but 4 were given` while using `jwt.decode`
- Incompatibility Issue: pyjwt==2.8.0 with cryptography==43.0.0 causes jwt.exceptions.PyJWKSetError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyjwt.