Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
PyJWK doesn't support RSA-OAEP algorithm
See original GitHub issueUsing a hosted KeyCloak instance from https://www.cloud-iam.com/ which sets its enc public cert to use RSA-OAEP causes PyJWKClient to throw an exception (raised by PyJWK constructor).
Expected Result
I don’t know the ins and outs of it, but either the RSA-OAEP algorithm should be supported or the enc cert ignored (the sig one is RSA256).
Actual Result
Traceback (most recent call last):
File "/home/flyte/dev/ascender/ascender-api/test.py", line 8, in <module>
PyJWKSet(certs_from_keycloak["keys"])
File "/home/flyte/.cache/pypoetry/virtualenvs/ascender-api-35481XGP-py3.10/lib/python3.10/site-packages/jwt/api_jwk.py", line 87, in __init__
self.keys.append(PyJWK(key))
File "/home/flyte/.cache/pypoetry/virtualenvs/ascender-api-35481XGP-py3.10/lib/python3.10/site-packages/jwt/api_jwk.py", line 50, in __init__
raise PyJWKError("Unable to find a algorithm for key: %s" % self._jwk_data)
jwt.exceptions.PyJWKError: Unable to find a algorithm for key: {'kid': 'A2MJgrKnftrPyUXS-FNN4g0spwz1H89gPTAzjb4u91o', 'kty': 'RSA', 'alg': 'RSA-OAEP', 'use': 'enc', 'n': 'xTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO-OiT9dcLqVIlhDckf7yVOfitMG_qZkhIzaOBWNWJZK1_zaeFCv_GQPPEVi_JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu_ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf_EnbSsAibQWXUvVCRRLSNdCrImdR-FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3-w', 'e': 'AQAB', 'x5c': ['MIICnzCCAYcCBgF+Q6te9zANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhhc2NlbmRlcjAeFw0yMjAxMTAxMTA1MTFaFw0zMjAxMTAxMTA2NTFaMBMxETAPBgNVBAMMCGFzY2VuZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO+OiT9dcLqVIlhDckf7yVOfitMG/qZkhIzaOBWNWJZK1/zaeFCv/GQPPEVi/JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu/ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf/EnbSsAibQWXUvVCRRLSNdCrImdR+FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBXmX39VyMNsmWn6I5myY9YZbHZEaYJ7xZ4eRbkrNN6znx8ar1YdI5zqpp2J91SL7Ni6IVEqHPPkwh/JI6KcEK5mO4bQxLY5YJb4h0z00jFoyn5IxDkFUgbgWQxRanyeSh0iQDHz0J6hbgjzTft25y87KxrdvJDQ8lxoDuQgSogrw/EAl0hMnauS1m87pjkzhhsYDBRwy0G3muDEgmA1E7RAM00ec/SuDAKvwF7HFf6xgSH8YALstz34drKbkWZIiGQIub3Y4swbN3Myb+whiwCLYW1olubFkvH7anSq6d39ZdJhxXmz3rhK0YlJ9O32WHBA1w/U/4wg8YIv6DSHYGF'], 'x5t': 'WAcN3AzixLmWqoKdNhhmxilWhFU', 'x5t#S256': 'M4D1NyJsOrtsjG7tRbDs-zd7hg2tvm9kbYDS4gRO7KI'}
Reproduction Steps
import json
from jwt import PyJWKSet
certs_from_keycloak = json.loads("""{"keys":[{"kid":"JJPd3kTh6QFpJ9P-MSFZbBf43S-LRTAot4DJmwd5EQk","kty":"RSA","alg":"RS256","use":"sig","n":"yluqHNqoRdCqCmhivy_yl4dDDMI5pwg59VMz7dYQREfehxukXPhfchbAHxDhGCZjUYieV4TIRGyEBVR3zQ9ihjStYPz8bXUeWqMBSYaH8R7Xb98GeZplVKnF-OLj0fWJkoNSgPYKuSDm2KXdz2hIZ1jOPKLDqpblnnqxrL_xX-1_kEBWehJmzmS0McCOK2nm7lLWf6zoTBi-bp1x5iNl7qteHdo0UZl1DP4NVE0lYk0uGa-L6ye0pQKS77Ro3R5nURvEO0AcaXYr6wLcxYsPRiYDlOactB6WnRFKAhEgRzdp1a04tH8hquHhrdjTc_ZoZelk6ppd-3ZqGq3jMc7TWw","e":"AQAB","x5c":["MIICnzCCAYcCBgF+Q6teWDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhhc2NlbmRlcjAeFw0yMjAxMTAxMTA1MTFaFw0zMjAxMTAxMTA2NTFaMBMxETAPBgNVBAMMCGFzY2VuZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyluqHNqoRdCqCmhivy/yl4dDDMI5pwg59VMz7dYQREfehxukXPhfchbAHxDhGCZjUYieV4TIRGyEBVR3zQ9ihjStYPz8bXUeWqMBSYaH8R7Xb98GeZplVKnF+OLj0fWJkoNSgPYKuSDm2KXdz2hIZ1jOPKLDqpblnnqxrL/xX+1/kEBWehJmzmS0McCOK2nm7lLWf6zoTBi+bp1x5iNl7qteHdo0UZl1DP4NVE0lYk0uGa+L6ye0pQKS77Ro3R5nURvEO0AcaXYr6wLcxYsPRiYDlOactB6WnRFKAhEgRzdp1a04tH8hquHhrdjTc/ZoZelk6ppd+3ZqGq3jMc7TWwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB0EJ2Q8/YKMFr7JRG7IwfMo2Z5bpBluVxtnBTt6EcS+QBQ4LVvh6GmpeNPZhVJHjSb7/yFs1iDGIiJDzbffE+mXRYYfjcl02IlzwOEv+v1wVqbCWfKuZIIDZIWJgmZCJF8xUJgGt+wyv3N2lR1X9GDaCaq9Z4L69vsB+2EQ0YM64ZJf5FXlYQ3Fdaq6kEZaTXpNwR7TlvKFUYaelP0a/c8m/izzfE8dX1WJBUne9Pgnn7emfdTYWmdCAaodv97DJoc3RWQgJhdgxgK85/qDIBfI86FiM3dPWR6/FmLox4f5WIZumWuAgNXBVyvBu+qU7FbwpeS+SlpBCwZuWqoMvEP"],"x5t":"dcy5v0xWv0qvgfX3CzbukvB5TlA","x5t#S256":"tyTUdZfGEopkBZ0BYyC8IxvQL5KFCn9-Po0V4ociZiY"},{"kid":"A2MJgrKnftrPyUXS-FNN4g0spwz1H89gPTAzjb4u91o","kty":"RSA","alg":"RSA-OAEP","use":"enc","n":"xTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO-OiT9dcLqVIlhDckf7yVOfitMG_qZkhIzaOBWNWJZK1_zaeFCv_GQPPEVi_JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu_ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf_EnbSsAibQWXUvVCRRLSNdCrImdR-FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3-w","e":"AQAB","x5c":["MIICnzCCAYcCBgF+Q6te9zANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhhc2NlbmRlcjAeFw0yMjAxMTAxMTA1MTFaFw0zMjAxMTAxMTA2NTFaMBMxETAPBgNVBAMMCGFzY2VuZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO+OiT9dcLqVIlhDckf7yVOfitMG/qZkhIzaOBWNWJZK1/zaeFCv/GQPPEVi/JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu/ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf/EnbSsAibQWXUvVCRRLSNdCrImdR+FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBXmX39VyMNsmWn6I5myY9YZbHZEaYJ7xZ4eRbkrNN6znx8ar1YdI5zqpp2J91SL7Ni6IVEqHPPkwh/JI6KcEK5mO4bQxLY5YJb4h0z00jFoyn5IxDkFUgbgWQxRanyeSh0iQDHz0J6hbgjzTft25y87KxrdvJDQ8lxoDuQgSogrw/EAl0hMnauS1m87pjkzhhsYDBRwy0G3muDEgmA1E7RAM00ec/SuDAKvwF7HFf6xgSH8YALstz34drKbkWZIiGQIub3Y4swbN3Myb+whiwCLYW1olubFkvH7anSq6d39ZdJhxXmz3rhK0YlJ9O32WHBA1w/U/4wg8YIv6DSHYGF"],"x5t":"WAcN3AzixLmWqoKdNhhmxilWhFU","x5t#S256":"M4D1NyJsOrtsjG7tRbDs-zd7hg2tvm9kbYDS4gRO7KI"}]}""")
PyJWKSet(certs_from_keycloak["keys"])
Pretty-printed cert for your pleasure
{
"kid": "A2MJgrKnftrPyUXS-FNN4g0spwz1H89gPTAzjb4u91o",
"kty": "RSA",
"alg": "RSA-OAEP",
"use": "enc",
"n": "xTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO-OiT9dcLqVIlhDckf7yVOfitMG_qZkhIzaOBWNWJZK1_zaeFCv_GQPPEVi_JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu_ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf_EnbSsAibQWXUvVCRRLSNdCrImdR-FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3-w",
"e": "AQAB",
"x5c": [
"MIICnzCCAYcCBgF+Q6te9zANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhhc2NlbmRlcjAeFw0yMjAxMTAxMTA1MTFaFw0zMjAxMTAxMTA2NTFaMBMxETAPBgNVBAMMCGFzY2VuZGVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTT6GOIMi7GXWUNQ4ZoFQuHihNVnRxx9Y9hAcvV6ZO+OiT9dcLqVIlhDckf7yVOfitMG/qZkhIzaOBWNWJZK1/zaeFCv/GQPPEVi/JafLUKz6AAaMdqiFuKfDyoAecOJWc0ar4autehQMpuRLh8POMmrnNMLolWqEauYmu/ajT9eA99hcseahDDhPWgGuSc0mFNS5YcjyIaoKfwWWkvtfqKNBEzf/EnbSsAibQWXUvVCRRLSNdCrImdR+FdprpudQs7sTetP5lU2aP0ChpM8GemidA5ZieNdykW1lVi0Sa6R1gkGzhL03LYzaPzgc8RMJQtaZg93EuSQLs66uKM3+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBXmX39VyMNsmWn6I5myY9YZbHZEaYJ7xZ4eRbkrNN6znx8ar1YdI5zqpp2J91SL7Ni6IVEqHPPkwh/JI6KcEK5mO4bQxLY5YJb4h0z00jFoyn5IxDkFUgbgWQxRanyeSh0iQDHz0J6hbgjzTft25y87KxrdvJDQ8lxoDuQgSogrw/EAl0hMnauS1m87pjkzhhsYDBRwy0G3muDEgmA1E7RAM00ec/SuDAKvwF7HFf6xgSH8YALstz34drKbkWZIiGQIub3Y4swbN3Myb+whiwCLYW1olubFkvH7anSq6d39ZdJhxXmz3rhK0YlJ9O32WHBA1w/U/4wg8YIv6DSHYGF"
],
"x5t": "WAcN3AzixLmWqoKdNhhmxilWhFU",
"x5t#S256": "M4D1NyJsOrtsjG7tRbDs-zd7hg2tvm9kbYDS4gRO7KI"
}
System Information
{
"cryptography": {
"version": "36.0.1"
},
"implementation": {
"name": "CPython",
"version": "3.10.1"
},
"platform": {
"release": "5.4.0-91-generic",
"system": "Linux"
},
"pyjwt": {
"version": "2.3.0"
}
}
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Does PHP supports RSA-OAEP-256 algorithm without any ...
PHP/OpenSSL supports OAEP but only with SHA1. An alternative is phpseclib. Be aware that JWE is more than RSA.
Read more >Solved: Unable to create JWT using third party JWKS
RSA-OAEP-256; RSAES-PKCS1-v1_5. At the time the policy executed, the problem it encountered is that the algorithm you specified is not compatible with the ......
Read more >Digital Signature Algorithms — PyJWT 2.6.0 documentation
The JWT specification supports several algorithms for cryptographic signing. ... RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm ...
Read more >JSON Web Token (JWT) with RSA encryption - Connect2id
The CEK is encrypted with RSAES with Optimal Asymmetric Encryption Padding (OAEP). Use RSA-OAEP-256 or another SHA-2 based RSA algorithm. Don't use RSA-OAEP...
Read more >Is RSA-OAEP deprecated? - Cryptography Stack Exchange
Web browsers support RSA-OAEP, which works exactly as I need. But there is a table which lists supported algorithms for web crypto at...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
As a workaround you can also configure keycloak to disable the RSA-OAEP key or use a different algorithm until it is supported.
Realm->Settings->Keys->rsa-enc-generated->enabled=FalseI think the issue itself may be resolved with #762.