Comments (8)
...but those were never part of the public (documented) API, right?
I think if this functionality makes sense to expose (can you elaborate on the use case?) it will need some big fat "this is possibly unsafe" warnings and preferably also corresponding names, e.g. unsafe_load()
and so on.
from pyjwt.
What @wbolster said.
from pyjwt.
Ah, I see that they weren't, in fact, in __all__
, even in 0.4.1 where they were in the package main module.
The use case is, I think, not uncommon. I serve multiple issuers. I need to inspect the issuer before I know which secret to use. On the other hand, this is just premature optimization where I'm trying to avoid the base64 decode when it comes time to verify.
Up to you all, then. I'm happy to submit a patch, with whatever scary names you think are appropriate, if it seems reasonable to make these public. Otherwise, no big deal.
from pyjwt.
I'm still not sure this should be public API, unless we have others interested in it being it. For now, you'll still be able to import it directly from jwt.api
.
from pyjwt.
Yep. Closing. If more people come across this they can speak up if they want it.
from pyjwt.
I have the same need as @tilgovi: verifying jwt's received from multiple issuers, with a different key per issuer. Thus I need to get the issuer out of the jwt in order to pass in the appropriate key for verification.
from pyjwt.
I think it makes sense to expose an API for this.
As for safety for the user and bw-compat what if there were a keyword argument for decode
that returned the parts tuple and we just exposed verify but not load?
(payload, signing_input, header, signature) = decode(..., verify=False, parts=True)
if verify(payload, signing_input, header, signature) ...
That way, verify=False would have to be the explicit opt-in rather than trying to come up with a "safe" name for load?
from pyjwt.
OTOH, I don't like when functions have multiple return types.
from pyjwt.
Related Issues (20)
- options verify_exp not working HOT 1
- sharing namespace jwt conflict, is this possible to prevent, pip install pyJWT give no warning HOT 3
- Please stop validating that `iat <= now` by default HOT 3
- Got error: Algorithm 'ES256' could not be found. Do you have cryptography installed? HOT 3
- Migration guide for python-jose users HOT 3
- Remove algorithm parameter overwrite in PyJWS.encode HOT 1
- There should be a check on the type of algorithms in signature verification HOT 1
- Decoding fails with "Invalid payload string: must be a json object" when the JSON is an array HOT 1
- https://nvd.nist.gov/vuln/detail/CVE-2024-26130 update cryptography HOT 2
- When is python 3.12 expected to be released as a package on PIP? HOT 4
- Consider cryptography 42.x.x new validation HOT 3
- Make a release 2.9.0? Or create a checklist that contributors can help with? HOT 5
- Minimal example of implementation with encode and decode HOT 1
- Cryptography package, needed, but not as a requirement? HOT 2
- Using PYJWKClient.get_signing_key_from_jwt(), getting a 'Expecting a PEM-formatted key' error. HOT 2
- Implement sub and jti check HOT 1
- Get signing alg from JWT header HOT 1
- jwk_from_pem not found in jwt HOT 1
- Error `TypeError: ECPublicKey.verify() takes 3 positional arguments but 4 were given` while using `jwt.decode`
- Incompatibility Issue: pyjwt==2.8.0 with cryptography==43.0.0 causes jwt.exceptions.PyJWKSetError
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyjwt.