Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for OrderedDict to headers to make possible custom ordering

See original GitHub issue

Headers order in jwt.encode() follows values hardcoded in api_jws.py:

        header = {'typ': self.header_typ, 'alg': algorithm}

and can not be changed. An issue referenced to old #116 - new RFC 8225 has pretty strict requirements for headers - they should be ordered lexicographically (A-Z)

The signature of the PASSporT is created as specified by JWS
   ([RFC7515], Section 5.1, Steps 1 through 6).  PASSporT MUST use the
   JWS Protected Header.  For the JWS Payload and the JWS Protected
   Header, however, the lexicographic ordering and whitespace rules
   described in Sections 4 and 5 of this document, and the JSON
   serialization rules in Section 9 of this document, MUST be followed.

Expected Result

Values for headers should not override the configured ones

{'alg': 'ES256', 'ppt': 'shaken', 'typ': 'passport', 'url': 'example.com'}

Actual Result

No matter what order is used for headers, jwt.encode() always uses hardcoded typ/alg key names on the first places.

{'typ': 'passport', 'alg': 'ES256', 'ppt': 'shaken', 'url': 'example.com'}

Reproduction Steps

$ openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout key.pem -out cert.crt -days 3650 -subj "/C=US/ST=Pennsylvania/L=Philadelphia/O=Example CA/CN=SHAKEN"
$ python
>>> import jwt
>>> from collections import OrderedDict
>>> key = open('domain.key').read()
>>> payload = {'attest': "my test1", 'dest': "3333", 'iat': "423dfd", 'orig': "321", 'origid': "123"}
>>> header = {'alg': 'ES256', 'ppt': 'shaken', 'typ': 'passport', 'url': 'example.com'}
>>> header_ordered = OrderedDict()
>>> header_ordered['alg'] = 'ES256'
>>> header_ordered['ppt'] = 'shaken'
>>> header_ordered['typ'] = 'passport'
>>> header_ordered['url'] = 'example.com'
>>> jwt.get_unverified_header(jwt.encode(payload, key, algorithm="ES256", headers=header))
{'typ': 'passport', 'alg': 'ES256', 'ppt': 'shaken', 'url': 'example.com'}
>>> jwt.get_unverified_header(jwt.encode(payload, key, algorithm="ES256", headers=header_ordered))
{'typ': 'passport', 'alg': 'ES256', 'ppt': 'shaken', 'url': 'example.com'}

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "2.9.2"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.8.12"
  },
  "platform": {
    "release": "11.3-RELEASE-p6",
    "system": "FreeBSD"
  },
  "pyjwt": {
    "version": "1.7.1"
  }
}

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:10 (7 by maintainers)

Top GitHub Comments

1reaction

auvipycommented, Dec 12, 2021

please upgrade to latest pypi release & report again

0reactions

kadabushacommented, Jul 19, 2022

PR was merged: https://github.com/jpadilla/pyjwt/pull/721

Top Results From Across the Web

2.11.1: Using OrderedDict to order headers on session doesn't ...

Now when I use the session for requests e.g. session.get("site", headers={"Referer": "test"}) and try to add a new header is doesn't take. Only ......

Python - Ordered Headers HTTP Requests - Stack Overflow

Expanding on the comment, here is a very, very simple OrderedHeaders that requests might be happy with: class OrderedHeaders(object): def ...

OrderedDict in Python - GeeksforGeeks

An OrderedDict is a dictionary subclass that remembers the order that keys were first inserted. The only difference between dict() and ...

OrderedDict vs dict in Python: The Right Tool for the Job

In this step-by-step tutorial, you'll learn what Python's OrderedDict is and how to use it in your code. You'll also learn about the...

Advanced Usage — Requests 2.28.1 documentation

If this is problematic, users should consider setting the default headers on a Session object, by setting Session to a custom OrderedDict ....