Verifies a JWT string's signature and validates reserved claims. Args: token (str): A signed JWS to be verified. key (str or iterable): A key to attempt to verify the payload with. This can be simple string with an individual key (e.g. "a1234"), a tuple o
(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None)
| 64 | |
| 65 | |
| 66 | def decode(token, key, algorithms=None, options=None, audience=None, issuer=None, subject=None, access_token=None): |
| 67 | """Verifies a JWT string's signature and validates reserved claims. |
| 68 | |
| 69 | Args: |
| 70 | token (str): A signed JWS to be verified. |
| 71 | key (str or iterable): A key to attempt to verify the payload with. |
| 72 | This can be simple string with an individual key (e.g. "a1234"), |
| 73 | a tuple or list of keys (e.g. ("a1234...", "b3579"), |
| 74 | a JSON string, (e.g. '["a1234", "b3579"]'), |
| 75 | a dict with the 'keys' key that gives a tuple or list of keys (e.g {'keys': [...]} ) or |
| 76 | a dict or JSON string for a JWK set as defined by RFC 7517 (e.g. |
| 77 | {'keys': [{'kty': 'oct', 'k': 'YTEyMzQ'}, {'kty': 'oct', 'k':'YjM1Nzk'}]} or |
| 78 | '{"keys": [{"kty":"oct","k":"YTEyMzQ"},{"kty":"oct","k":"YjM1Nzk"}]}' |
| 79 | ) in which case the keys must be base64 url safe encoded (with optional padding). |
| 80 | algorithms (str or list): Valid algorithms that should be used to verify the JWS. |
| 81 | audience (str): The intended audience of the token. If the "aud" claim is |
| 82 | included in the claim set, then the audience must be included and must equal |
| 83 | the provided claim. |
| 84 | issuer (str or iterable): Acceptable value(s) for the issuer of the token. |
| 85 | If the "iss" claim is included in the claim set, then the issuer must be |
| 86 | given and the claim in the token must be among the acceptable values. |
| 87 | subject (str): The subject of the token. If the "sub" claim is |
| 88 | included in the claim set, then the subject must be included and must equal |
| 89 | the provided claim. |
| 90 | access_token (str): An access token string. If the "at_hash" claim is included in the |
| 91 | claim set, then the access_token must be included, and it must match |
| 92 | the "at_hash" claim. |
| 93 | options (dict): A dictionary of options for skipping validation steps. |
| 94 | |
| 95 | defaults = { |
| 96 | 'verify_signature': True, |
| 97 | 'verify_aud': True, |
| 98 | 'verify_iat': True, |
| 99 | 'verify_exp': True, |
| 100 | 'verify_nbf': True, |
| 101 | 'verify_iss': True, |
| 102 | 'verify_sub': True, |
| 103 | 'verify_jti': True, |
| 104 | 'verify_at_hash': True, |
| 105 | 'require_aud': False, |
| 106 | 'require_iat': False, |
| 107 | 'require_exp': False, |
| 108 | 'require_nbf': False, |
| 109 | 'require_iss': False, |
| 110 | 'require_sub': False, |
| 111 | 'require_jti': False, |
| 112 | 'require_at_hash': False, |
| 113 | 'leeway': 0, |
| 114 | } |
| 115 | |
| 116 | Returns: |
| 117 | dict: The dict representation of the claims set, assuming the signature is valid |
| 118 | and all requested data validation passes. |
| 119 | |
| 120 | Raises: |
| 121 | JWTError: If the signature is invalid in any way. |
| 122 | ExpiredSignatureError: If the signature has expired. |
| 123 | JWTClaimsError: If any claim is invalid in any way. |
nothing calls this directly
no test coverage detected
searching dependent graphs…