1

I have received a JWT token created by a java program using jjwt module. Now, when I try to verify the token using pyjwt, it throws exception.

import jwt token
token='eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMDAiLCJyb2xlcyI6IkJVU0lORVNTVVNFUiIsIm1vZGUiOiJzdG9yZWFwcCIsImlhdCI6MTQ5NDg1ODk4MCwiZXhwIjoxNDk0ODY0OTgwfQ.ckFnGv1NT-Ui2S90DNr50YoHSXc1ZLBNnEErnGMWL-E'
secret ='123456AB' 
jwt.decode(token,secret,algorithms='HS256')

Traceback (most recent call last): File "", line 1, in File "/Applications/anaconda/envs/modulename/lib/python3.5/site-packages/jwt/api_jwt.py", line 64, in decode options, **kwargs) File "/Applications/anaconda/envs/modulename/lib/python3.5/site-packages/jwt/api_jws.py", line 116, in decode key, algorithms) File "/Applications/anaconda/envs/modulename/lib/python3.5/site-packages/jwt/api_jws.py", line 186, in _verify_signature raise DecodeError('Signature verification failed') jwt.exceptions.DecodeError: Signature verification failed

If i use the same token in jwt.io, with base64 encrypted option checked, it seems to work.

Improve this question

2 Answers 2

Reset to default
2

This is because when Java created the token it thought the plain text you used as a secret was base64 encoded. I am assuming Java was expecting the string secret to be base64 encoded version of some binary. Try base64 decoding the secret before decoding jwt.

import base64
jwt.decode(token,base64.b64decode(secret))

#The token in your question was expired so I ended up passing verify expiration = False
jwt.decode(token,base64.b64decode(secret), options={ 'verify_exp': False})

{u'iat': 1494858980, u'exp': 1494864980, u'sub': u'100', u'roles': u'BUSINESSUSER', u'mode': u'storeapp'}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

It worked like a breeze! Thanks. The java jjwt package do not clearly mentions that the secret key we provide is assumed to be a base64 encoded string.
Glad to help, if this answer solved your problem please mark it as accepted by clicking the check mark next to the answer. see: meta.stackexchange.com/questions/5234/… for more information
0

You may try to verify the signature of the incoming token in your Python application using the same SecretKey as you have used in your Java application.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.