We are using a microservice architecture where we create our jwt tokens in a different service. We added today django-rest-framework-simplejwt for verifying jwt tokens in one of our django services. While adding this we were faced with the error message that the Token is invalid or expired. We are using RS256 and checked that the token and public key were valid. We tracked down the issue and found out that PyJWT raised an issue that RS256 algorithm does not exist.
This was because the cryptography was not installed in the virtualenv. Also, we are using pip-tools for dependency management. After adding cryptography to the dependencies manually it now works fine.
Did anyone else faced the same issue?
@thacoon My educated guess: This is because the setup.py in PyJWT specifies the cryptography package is an extra package that may be required for certain algorithms. For RS256, it is necessary to have the cryptography package.
For this repository, HS256 is the default algorithm and is built-in to PyJWT (maybe, never checked, but assuming so since cryptography package isn't necessary). PyJWT IS a required installed package for THIS repository, so HS256 works properly. We could perhaps let people know that the cryptography package is necessary for certain algorithms.
@Andrew-Chen-Wang yes that would be nice if you could note this in the README.
As as a note I was using HS512 for a project which has subsequently stopped working. I switched back to HS256 which resolved the problem. Haven't had time to investigate yet but I was just getting "Token is invalid or expired" even though the token was valid. I had both PyJWT and cryptography installed and up to date.
@NZLostboy I'm curious as to why HS512 wouldn't work. Perhaps a misspelling in SIMPLE_JWT settings? Was your signing key at least 512 bits long (64 bytes/chars long)? Did you change any settings? Maybe misspelling of algorithm? Your problem would likely go into another issue.
You don't need the cryptography package to use HS512, as noted in PyJWT:
(Can't show code snippet from diff repo, but that's the permalink anyways).
I think this could be better indicated when it occurs at runtime, for example I was attempting to use RS512 which "worked on my machine" because cryptography was installed as a transitive dev dependency, but then it broke in the container with "Token is invalid or expired". Took me a while to work out that what that error actually meant was 'RS512' is not available.
If you caught InvalidAlgorithmError specifically (which is currently caught by line 57 in backends.py) you could put a more specific error message in the response.
Happy to submit a PR if you think this is worthwhile.
@nicktindall Please do submit a PR! Curious though, is InvalidAlgorithmError caught if you use different casing (e.g. camel case idk) of the algorithm you specify in the SIMPLE_JWT settings? That would be a little confusing. Hopefully InvalidAlgorithmError is only raised when there's a misspelling or if cryptography is not installed.
It looks like InvalidAlgorithmException will be raised when the token is signed with an algorithm other than the one you've specified in SIMPLE_JWT settings (api_jws.py:215) or if the nominated algorithm isn't installed (e.g. due to missing cryptography, api_jws.py:226)
Working on a PR :)
@Andrew-Chen-Wang yes that would be nice if you could note this in the README.
I agree. I spent some time trying to figure out the issue, then I had to go through the code to find out it needs the cryptography package.
@ribbonhood I've merged a PR that should help with this. I haven't pushed a minor version out yet, but yeah I can see how this is annoying and hopefully that PR fixes it (it's the one above your comment).
Most helpful comment
@thacoon My educated guess: This is because the
setup.pyin PyJWT specifies thecryptographypackage is an extra package that may be required for certain algorithms. For RS256, it is necessary to have the cryptography package.For this repository, HS256 is the default algorithm and is built-in to PyJWT (maybe, never checked, but assuming so since cryptography package isn't necessary). PyJWT IS a required installed package for THIS repository, so HS256 works properly. We could perhaps let people know that the cryptography package is necessary for certain algorithms.