JSON Web Token implementation in Python
MIT License
Bot releases are hidden (Show)
Published by jpadilla over 7 years ago
Published by jpadilla over 7 years ago
jwt
to jwt-cli
to avoid issues with the script clobbering the jwt
module in some circumstances. #187Published by mark-adams about 8 years ago
Bugfix release
Published by mark-adams over 9 years ago
jwt.get_unverified_header()
to parse and return the header portion of a token prior to signature verification.Published by mark-adams over 9 years ago
verify_expiration=
argument to jwt.decode()
that was erroneously removed in 1.1.0.verify_expiration=
argument to jwt.decode()
is now deprecated and will be removed in a future version. Use the option=
argument instead.Published by mark-adams over 9 years ago
Published by jpadilla over 9 years ago
jwt/contrib' and
jwt/contrib/algorithms` when installing. Ref 882524d845349df532e2a96b30fbe7e74e6ff55cPublished by jpadilla over 9 years ago
api.header
. #85PyCrypto
and ecdsa
when cryptography
isn't available. #103alg
header. #110A security researcher has notified JSON Web Token library maintainers about a number of vulnerabilities allowing attackers to bypass the verification step. Read more about some of this issues here.
This release fixes the vulnerabilities reported, continue reading for details.
alg
field in the token header.Attackers can craft a malicious token containing an arbitrary payload that passes the verification step.
Create a token with the header {"typ":"JWT","alg":"none"}
. Include any payload. Do not include a signature (i.e. the token should end with a period). Note: some implementations include some basic but insufficient checking for a missing signature -- some minor fiddling may be required to produce an exploit.
alg
field in the token header.If the system is expecting a token signed with one of the asymmetric algorithms, an attacker can bypass the verification step by knowing only the public key.
Create an HS256 token. Generate the HMAC signature using the literal bytes of the public key file (often in the PEM format). This will confuse the implementation into interpreting the public key file as an HMAC key.
This release was possible thanks to the awesome @mark-adams.
Published by jpadilla over 9 years ago
Published by jpadilla almost 10 years ago
InvalidTokenError
for invalid tokens. #60The following exceptions have been marked for deprecation in favor of a renamed one to follow a better convention and will be removed in the next major version release.
ExpiredSignature
will be deprecated in favor of ExpiredSignatureError
.InvalidAudience
will be deprecated in favor of InvalidAudienceError
.InvalidIssuer
will be deprecated in favor of InvalidIssuerError
.Thanks to @mark-adams and @wbolster for all the work and feedback that went into this release.
Published by jpadilla almost 10 years ago
Switch from PyCrypto
to cryptography
.
PR: #51 by @mark-adams
Published by jpadilla almost 10 years ago
Allow using a custom JSON encoder in jwt.encode()
PR #49 by @defyrlt
Ref #37
import json
import decimal
import jwt
class CustomJSONEncoder(json.JSONEncoder):
def default(self, o):
if isinstance(o, decimal.Decimal):
return float(o)
return super(CustomJSONEncoder, self).default(o)
data = {
'some_decimal': decimal.Decimal('2.2')
}
token = jwt.encode(data, 'secret', json_encoder=CustomJSONEncoder)
Published by jpadilla almost 10 years ago
header()
support unicode input, like decode()
. #48Published by jpadilla almost 10 years ago