MCPcopy Create free account
hub / github.com/mpdavis/python-jose / decode

Function decode

jose/jwt.py:66–184  ·  view source on GitHub ↗

Verifies a JWT string's signature and validates reserved claims. Args: token (str): A signed JWS to be verified. key (str or iterable): A key to attempt to verify the payload with. This can be simple string with an individual key (e.g. "a1234"), a tuple o

(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None)

Source from the content-addressed store, hash-verified

64
65
66def decode(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None):
67 """Verifies a JWT string's signature and validates reserved claims.
68
69 Args:
70 token (str): A signed JWS to be verified.
71 key (str or iterable): A key to attempt to verify the payload with.
72 This can be simple string with an individual key (e.g. "a1234"),
73 a tuple or list of keys (e.g. ("a1234...", "b3579"),
74 a JSON string, (e.g. '["a1234", "b3579"]'),
75 a dict with the 'keys' key that gives a tuple or list of keys (e.g {'keys': [...]} ) or
76 a dict or JSON string for a JWK set as defined by RFC 7517 (e.g.
77 {'keys': [{'kty': 'oct', 'k': 'YTEyMzQ'}, {'kty': 'oct', 'k':'YjM1Nzk'}]} or
78 '{"keys": [{"kty":"oct","k":"YTEyMzQ"},{"kty":"oct","k":"YjM1Nzk"}]}'
79 ) in which case the keys must be base64 url safe encoded (with optional padding).
80 algorithms (str or list): Valid algorithms that should be used to verify the JWS.
81 audience (str): The intended audience of the token. If the "aud" claim is
82 included in the claim set, then the audience must be included and must equal
83 the provided claim.
84 issuer (str or iterable): Acceptable value(s) for the issuer of the token.
85 If the "iss" claim is included in the claim set, then the issuer must be
86 given and the claim in the token must be among the acceptable values.
87 subject (str): The subject of the token. If the "sub" claim is
88 included in the claim set, then the subject must be included and must equal
89 the provided claim.
90 access_token (str): An access token string. If the "at_hash" claim is included in the
91 claim set, then the access_token must be included, and it must match
92 the "at_hash" claim.
93 options (dict): A dictionary of options for skipping validation steps.
94
95 defaults = {
96 'verify_signature': True,
97 'verify_aud': True,
98 'verify_iat': True,
99 'verify_exp': True,
100 'verify_nbf': True,
101 'verify_iss': True,
102 'verify_sub': True,
103 'verify_jti': True,
104 'verify_at_hash': True,
105 'require_aud': False,
106 'require_iat': False,
107 'require_exp': False,
108 'require_nbf': False,
109 'require_iss': False,
110 'require_sub': False,
111 'require_jti': False,
112 'require_at_hash': False,
113 'leeway': 0,
114 }
115
116 Returns:
117 dict: The dict representation of the claims set, assuming the signature is valid
118 and all requested data validation passes.
119
120 Raises:
121 JWTError: If the signature is invalid in any way.
122 ExpiredSignatureError: If the signature has expired.
123 JWTClaimsError: If any claim is invalid in any way.

Callers

nothing calls this directly

Calls 3

JWTErrorClass · 0.85
_validate_claimsFunction · 0.85
verifyMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…