Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

jwt.decode verify_signature=False and verify_exp=True doesn't work properly

See original GitHub issue

When trying to decode an expired token to see if it needs a refresh, the expected exception doesn’t raise.

Expected Result

I expect the following code to raise an ExpiredSignatureError

Actual Result

However it doesn’t raise.

Reproduction Steps

import jwt

audience = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
token = ( 
       "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJSUzI1NiJ9.eyJpc3MiOiAicHJvbWlzaW5nLWxpZmUtMjE3NTEzQGFw"
        "cHNwb3QuZ3NlcnZpY2VhY2NvdW50LmNvbSIsICJzdWIiOiAicHJvbWlzaW5nLWxpZmUtMjE3NTEzQGFwcHNwb"
        "3QuZ3NlcnZpY2VhY2NvdW50LmNvbSIsICJhdWQiOiAiaHR0cHM6Ly9pZGVudGl0eXRvb2xraXQuZ29vZ2xlYX"
        "Bpcy5jb20vZ29vZ2xlLmlkZW50aXR5LmlkZW50aXR5dG9vbGtpdC52MS5JZGVudGl0eVRvb2xraXQiLCAidWl"
        "kIjogInVzZXJfMTFrUWQxbzRpYUxpUTc3WHNzNmtraTJvQU9JV282WDhpZSIsICJpYXQiOiAxNjAyNjYwOTkw"
        "LCAiZXhwIjogMTYwMjY2NDU5MCwgImNsYWltcyI6IHsibWVyY2hhbnRfaWQiOiAibWVyY2hhbnRfMTFrUWNkd"
        "DcycDR2NkRVUElVNjIwd3VnRVd1ODQySjNRYSJ9fQ.dOsXrwH23rJmGunQz7_o3M-AEHlUkLt_orjSn9GINkk"
        "r6y-3odlguPBW-9Yegn9cteRn3Q04CYxQYqjvFne8CKy8wdh9yj2vCTDkxLhGg5qzso2r93R-2g16Cbkm0-Wl"
        "MJV8cvjIl0IURy1Q2YLNmZEJlwm5PDbforncXtum9LXtBNXqE2vMKaZtwVIRXoyWVorz8BPKT9XV31yeaTfD9"
        "kC9-4TP2XoXa82G-NxVQou9EACfiQwF2HpEm-K02R0mfEp67WgAmmNuqoqlZqvxzbw95J0-vgk89sOxXpAW3JG"
        "qYKWuW_OnrnnNsOZKrX4pD2Rl5RTll_z-qx0tvnNmKw"
)

try:
    jwt.decode(
        token,
        algorithms=["RS256"],
        audience=audience,
        options={"verify_signature": False, "verify_exp": True},
    )
except jwt.ExpiredSignatureError:
    print("Test pass")
else:
    print("Test failed")

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "3.3.1"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.8.6"
  },
  "platform": {
    "release": "5.8.0-33-generic",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.0.0"
  }
}

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

Natimcommented, Jan 22, 2021

Yes in my case it is to know if I need to refresh the token, so validating the signature is not my app responsibility.

0reactions

Natimcommented, Jan 22, 2021

I started a fix here: https://github.com/jpadilla/pyjwt/pull/608 I would be glad if one of you could have a look and see if it fixes their issues too.

Top Results From Across the Web

pyjwt decode method return Signature verification failed

A correct working token causes a decoding error using pyjwt ... raise InvalidSignatureError("Signature verification failed") jwt.exceptions.

invalid signature" when verifying JWT signed with Java JWT ...

jsonwebtoken) and trying to "unsign" using this npm library in a separate node.js app. As already mentioned by others, the token decodes fine, ......

Usage Examples — PyJWT 2.6.0 documentation

Expiration time is automatically verified in jwt.decode() and raises jwt.ExpiredSignatureError if the expiration time is in the past:.

Decode JWT runtime error troubleshooting | Apigee Edge

A properly structured JWT should contain a header, payload and signature in the following format: header.payload.signature . If the JWT passed to the...

Manually verifying a JWT | FusionAuth Forum

I have an access token that is signed by a HS256 signing key. When I go to my rails backend and use the...