jwt.Decode - what is the need for a list of algorithms?

Asked

Viewed 283 times

2

I am studying Python and needed to solve an exercise using JWT (JSON Web Tokens).

It was necessary to create a token and verify the validity, searching for example codes, found in the documentation itself some options that easily met the need.

In the examples of use of jwt.Decode highlight two examples:

  1. decoded = jwt.decode(encoded, public_key, algorithms='RS256')

  2. try:
     jwt.decode('JWT_STRING', 'secret', algorithms=['HS256'])
except jwt.ExpiredSignatureError:
     # Signature has expired

The curious thing is the parameter Algorithms that can either receive an algorithm or a list. At this point, in a code review that a colleague did, we came to this question:

What is the need for a list of algorithms?

The list would be to "try" decode in all forms passed to the Algorithms?

python python-3.x jwt

2 answers

3


In the case of that particular library, according to the documentation:

When Decoding, you can also specify which Algorithms you would like to Permit when validating the JWT by using the Algorithms Parameter which takes a list of allowed Algorithms.

Source.

That is, while you are decoding a JWT, you can also specify which algorithms you want to allow during token validation.

For example, if you pass ['HS512', 'HS256'] for the argument algorithms of the method decode, it will be able to validate the tokens encoded with the algorithms HS512 and HS256.

The list would be to "try" decode in all forms passed to Algorithms?

In this case, I think "trying" is an incorrect word, since the JWT token itself specifies which algorithm was used during its creation. Therefore, the list serves to tell which algorithms can be used to decode the given token.

  • 1

    I got the idea!

-1

The list of algorithms that is passed as a parameter when performing a Code informs which algorithms are allowed to perform the token check and thus return the declarations used during the token generation.

Reference

Browser other questions tagged python python-3.x jwt

You are not signed in. Login or sign up in order to post.