Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PyJWKClient is not able to detect the ES384 Algorithm from a given key #616

Closed
dnltsk opened this issue Feb 10, 2021 · 1 comment · Fixed by #624
Closed

PyJWKClient is not able to detect the ES384 Algorithm from a given key #616

dnltsk opened this issue Feb 10, 2021 · 1 comment · Fixed by #624

Comments

@dnltsk
Copy link

dnltsk commented Feb 10, 2021

The PyJWKClient is not able to detect the ES384 Algorithm from a key.

The code breaks with the following error message:

[ERROR] PyJWKError: Unable to find a algorithm for key: {'kty': 'EC', 'kid': 'ZWZDBDUHH3G3AK2G', 'x': 'BROh-CQfiSv_KlafsTld4_QBJqsDbqjlP0S47_lVXUWCHbatKBKnIJw6DlG2O29c', 'y': 'gKKj6VDEocCjaL0I9Z76mI4X4sFDBLw50lL0Wgmfr2ptGLkl9neSAd_z2oUBX7R3', 'crv': 'P-384', 'iat': 1612965351, 'exp': 1612986951}
Traceback (most recent call last):
  File "/opt/python/aws_lambda_powertools/tracing/tracer.py", line 303, in decorate
    response = lambda_handler(event, context, **kwargs)
  File "/opt/python/aws_lambda_powertools/logging/logger.py", line 270, in decorate
    return lambda_handler(event, context)
  File "/var/task/bff/oauth_result.py", line 27, in lambda_handler
    return execute(evt, config)
  File "/var/task/bff/oauth_result.py", line 33, in execute
    access_token = load_access_token(request, config)
  File "/var/task/bff/clients/oauth_client.py", line 26, in load_access_token
    id_token = _load_id_token(request.code, openid_configuration, config)
  File "/var/task/bff/clients/oauth_client.py", line 65, in _load_id_token
    signing_key = jwks_client.get_signing_key_from_jwt(id_token)
  File "/opt/python/jwt/jwks_client.py", line 54, in get_signing_key_from_jwt
    return self.get_signing_key(header.get("kid"))
  File "/opt/python/jwt/jwks_client.py", line 36, in get_signing_key
    signing_keys = self.get_signing_keys()
  File "/opt/python/jwt/jwks_client.py", line 23, in get_signing_keys
    jwk_set = self.get_jwk_set()
  File "/opt/python/jwt/jwks_client.py", line 20, in get_jwk_set
    return PyJWKSet.from_dict(data)
  File "/opt/python/jwt/api_jwk.py", line 63, in from_dict
    return PyJWKSet(keys)
  File "/opt/python/jwt/api_jwk.py", line 58, in __init__
    self.keys.append(PyJWK(key))
  File "/opt/python/jwt/api_jwk.py", line 21, in __init__
    raise PyJWKError("Unable to find a algorithm for key: %s" % self._jwk_data)

Also adding the 'alg': 'ES384' attribute via the hack discussed in #603 (comment) doesn't solve it.

Expected Result

The following code should work, because token and key belong together.

jwks_client = PyJWKClient(openid_configuration.jwks_uri)
signing_key = jwks_client.get_signing_key_from_jwt(id_token)

Actual Result

What does work is the decoding with disabled signature verification:

jwt.decode(
  id_token, algorithms=["ES384"], options={"verify_signature": False}
)

System Information

$ python -m jwt.help

{
  "cryptography": {
    "version": "3.2.1"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.8.5"
  },
  "platform": {
    "release": "20.3.0",
    "system": "Darwin"
  },
  "pyjwt": {
    "version": "2.0.1"
  }
}
@hjmallon
Copy link

I can reproduce this issue, but adding the 'alg' seems to fix it for me. Is this a duplicate of #603?

@dajiaji dajiaji mentioned this issue Mar 7, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support JWK without alg. dajiaji/pyjwt
2 participants
@hjmallon @dnltsk