Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

jwt.exceptions.DecodeError: Not enough segments

See original GitHub issue

Problem description

pyjwt yields said error message when trying to decode an RS256-decoded ID token returned from our OIDC/Oauth token endpoint.

The signed JWT token is encoded using the following header/body:

jwt_header = {
    "x5c": [ jwt_cert ],
    "alg": "RS256"
}

jwt_payload = {
    "aud": config_idporten["aud"],
    "iss": config_idporten["client_id"],
    "iat": utc,
    "exp": utc + datetime.timedelta(seconds = config_idporten["jwt_delay"]),
    "jti": "client_jwt_id"
}

The token is then submitted to the token endpoint with the following payload:

payload = {
    "client_id": config_idporten["client_id"],
    "grant_type": "authorization_code",
    "code": authorization_response["code"],
    "redirect_uri": config_idporten["redirect_login"],
    "client_assertion_type": config_idporten["client_assertion_type"],
    "client_assertion": jwt_token
}

Trying to decode the returned ID token with the code shown bellow triggers an exception within pyjwt.

try:
    jwt_decoded_id_token = jwt.decode(
        jwt_id_token,
        jwt_public_key,
        audience = config_idporten["aud"],
        algorithms = ["RS256"])
except (jwt.ExpiredSignatureError, jwt.InvalidAudienceError) as e:
    print("[ERROR]", e)

Further notes

Trying to decode the ID token at jwt.io yields the expected outcome, and the ID token consists of three elements. Therefore I’m curious as to why pyjwt complains about there not being enough elements.

Any tips and pointers in the right direction would be much appreciated!

Issue Analytics

State:
Created 5 years ago
Comments:9 (1 by maintainers)

Top GitHub Comments

1reaction

fredaascommented, May 10, 2020

It’s been a while since we solved this problem. I’ll need to go back a take a look at the source, but if I remember correctly it had something to do with the jwt not being correctly formatted.

I’ll post a more in-depth answer when I have time.

1reaction

Esquire-ghcommented, Apr 30, 2019

I had a similar issue and I realised that the jwt token wasn’t being added as part of the request header. If you are using postman to make the requests, you could check if you are typing the token into the value section and not description.

Top Results From Across the Web

"Not enough segments" when seding a GET message with ...

The token you are trying to pass in ( TGazPL9rf3aIftplCYDTGDc8cbTd )is not a valid JWT. A valid JWT has three segments separated by...

JWT Not enough or too many segments - Google Groups

I am continually getting an error when my application receives a JWT token from the front end application, which is authenticating through ...

Python Examples of jwt.DecodeError - ProgramCreek.com

DecodeError ("Not enough segments") try: return ... InvalidTokenError: raise exceptions. ... DecodeError: msg = 'Token不合法' raise exceptions.

“Not enough segments” when seding a GET message with ...

I got this error in Flask Application: curl http://0.0.0.0:8080/ -H "Authorization: Bearer TGazPL9rf3aIftplCYDTGDc8cbTd" { "msg": "Not enough segments" }.

jwt.DecodeError Example - Program Talk

DecodeError ('Not enough segments') try: if sys.version_info >= (3, ... except TypeError as e: current_app.logger.exception(e) raise jwt.DecodeError('Invalid ...