Login/Register
Could not deserialize key data on decoding JWT python
Asked Answered
Solved pythonauthenticationoauthjwtencode
W

13

32

I am using pyjwt library for decoding the JWT token. I got this error when I am decoding. The code was given in the documantation.

import jwt

encoded_jwt='''eyJ0eXAiOiJKV1QiLCJhbG......'''
secret=b''''-----BEGIN PUBLIC KEY-----
MIIFRjCCBC6gAwIBAgIQCIdSGhpikQCjOIY154XoqzANBgkqhkiG9w0BAQsFADBN
......
-----END PUBLIC KEY-----'''

print(jwt.decode(encoded_jwt, secret , algorithms=['RS256']))

raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

Could You please help me in resolving it beacuse when I use this it in the JWT website it's working.

This is the full error log..

Traceback (most recent call last): File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/algorithms.py", line 205, in prepare_key key = load_pem_private_key(key, password=None, backend=default_backend()) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key return backend.load_pem_private_key(data, password) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1014, in load_pem_private_key password, File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1233, in _load_key self._handle_key_loading_error() File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1291, in _handle_key_loading_error raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/sathiyakugan/PycharmProjects/JWTsample/sample.py", line 45, in print(jwt.decode(encoded_jwt, secret , algorithms=['RS256'])) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jwt.py", line 93, in decode jwt, key=key, algorithms=algorithms, options=options, **kwargs File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jws.py", line 157, in decode key, algorithms) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jws.py", line 221, in _verify_signature key = alg_obj.prepare_key(key) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/algorithms.py", line 207, in prepare_key key = load_pem_public_key(key, backend=default_backend()) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key return backend.load_pem_public_key(data) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1040, in load_pem_public_key self._handle_key_loading_error() File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1291, in _handle_key_loading_error raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

Process finished with exit code 1

Whitethorn answered 16/11, 2018 at 12:21 Comment(2)
@stovfl No it's different problemWhitethorn
You appear to have a typo. One extra apostrophe in your public key, right at the start.Sandor
W
10

There are some issues in the pyjwt library. and you must get the public key from the certificate.

I used openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

then from the public key I could easily decode it using authlib library.

from authlib.specs.rfc7519 import jwt

encoded_jwt='''eyJ0eXAiOiJ....'''
secret=b'''-----BEGIN PUBLIC KEY-----
......
-----END PUBLIC KEY-----'''
claims = jwt.decode(encoded_jwt, secret)
print(claims)
Whitethorn answered 19/11, 2018 at 10:25 Comment(0)
S
20

If you get this error double check your public key is exactly right, new lines are important.

key = '''-----BEGIN PUBLIC KEY-----
<main key here>
-----END PUBLIC KEY-----'''
Sandor answered 18/5, 2020 at 17:43 Comment(1)
This is really helpful, it should have been the accepted answer.Vargo
S
17

It's a good idea to use your RSA keys with OpenSSL:

openssl genrsa -out jwt-key 4096
openssl rsa -in jwt-key -pubout > jwt-key.pub

Reference: link

Updated Text:

It seems you're encountering a key deserialization problem with the PyJWT library. This issue often arises from an incompatible or incorrectly formatted key. To resolve this, I suggest generating a new RSA key pair using OpenSSL. Here's a step-by-step explanation:

  1. Generating the RSA Private Key:

    • Command: openssl genrsa -out jwt-key 4096
    • This command uses OpenSSL to create an RSA private key.
    • genrsa generates the RSA key.
    • -out jwt-key defines the output filename for the private key.
    • 4096 is the key size, offering a balance between security and performance.

  2. Extracting the Public Key:

    • Command: openssl rsa -in jwt-key -pubout > jwt-key.pub
    • This command extracts the public key from the generated private key.
    • -in jwt-key specifies the input file, the private key from the first step.
    • -pubout signals the extraction of the public key.
    • jwt-key.pub is where the public key will be saved.

By using these commands, you'll generate a new RSA key pair. The private key (jwt-key) is for signing the JWT, and the public key (jwt-key.pub) is for verifying the signature. Remember to securely store the private key and only share the public key.

After generating these keys, update your Python code to use the new keys, ensuring the public key is read in the format expected by the PyJWT library. This approach should solve the deserialization issue with your current key.

Stieglitz answered 24/1, 2020 at 18:41 Comment(1)
I had a similar issue and this was the solution for my problem. Thanks, and recommend answer (although I did not check the others)Tooth
U
15

Use the authlib library, I never managed to decode keycloak tokens with pyjwt. You need a public_key, I assume you have it.

from authlib.jose import jwt
key = '-----BEGIN PUBLIC KEY-----\n' + public_key + '\n-----END PUBLIC KEY-----'
key_binary = key.encode('ascii')

try:
    claims = jwt.decode(encoded,key_binary)
    claims.validate()
    #do some logic here
    #...

ProTip: you may grab the public key easily from your auth server (in my case Keycloak) at some endpoint:

url = 'http://localhost:8080/auth/realms/your_realm'
with  urllib.request.urlopen(url) as r:
    response = r.read()
    public_key = json.loads(response)['public_key']
Utimer answered 26/8, 2019 at 14:34 Comment(2)
"I never managed to decode keycloak tokens with pyjwt" I'm late to the party here, but had a similar issue using pyjwt to validate JWTs from Keycloak. I finally realized it's because pyjwt is expecting the PUBLIC-KEY value only (not a full PEM certificate). I got it to work by converting the x509 cert which Keycloak provides into a PEM file (by wrapping it in "-----BEGIN/END CERTIFICATE-----" lines), and using the following openssl command to extract the PUBLIC-KEY value: openssl x509 -pubkey -noout -in certificate.pem. The resulting public key output then works with pyjwt.Pleonasm
FWIW: renzolucioni.com/verifying-jwts-with-jwks-and-pyjwtCaddis
K
11

How did you encode your jwt? Use one of the approaches below

Encoding & Decoding Tokens with RS256 (RSA)

encoded = jwt.encode({'some': 'payload'}, private_key, algorithm='RS256')
decoded = jwt.decode(encoded, public_key, algorithms='RS256')

Reading the Claimset without Validation

jwt.decode(encoded, verify=False)
{u'some': u'payload'}

Or use same secret to encode and decode the jwt, one of the approach should work. In my case I used jwt.decode(token, verify=False) because my server has already did the signature validation for me, I only need to get the claimset.

Kinshasa answered 16/11, 2018 at 18:42 Comment(3)
This is not working for me, It says ValueError: Could not deserialize key data. on encoding data.Mantling
Which one is not working for you the decode method with a public key or without the public keyKinshasa
In my case the issue was with encoding, we can encode with the above flow but we need to load private key properly, I found this on : github.com/jpadilla/pyjwt/issues/320, after this I was able to do encode and decode.Mantling
W
10

There are some issues in the pyjwt library. and you must get the public key from the certificate.

I used openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

then from the public key I could easily decode it using authlib library.

from authlib.specs.rfc7519 import jwt

encoded_jwt='''eyJ0eXAiOiJ....'''
secret=b'''-----BEGIN PUBLIC KEY-----
......
-----END PUBLIC KEY-----'''
claims = jwt.decode(encoded_jwt, secret)
print(claims)
Whitethorn answered 19/11, 2018 at 10:25 Comment(0)
L
4

For pyjwt 2.8.0, it worked for me when using options={"verify_signature": False} instead of verify=False

jwt.decode(token.encode(), options={"verify_signature": False})
Lapierre answered 8/11, 2023 at 12:55 Comment(0)
E
2

MacOS Catalina 10.15.4 Python 2.7.16.

This solved the problem in my case

pip install cryptography==2.3
Epigram answered 21/11, 2020 at 10:43 Comment(0)
C
1

If the problem was the fact that you are using certificate you can just extract public / private key from the certificate:

from cryptography.x509 import load_pem_x509_certificate

cert_str = b"-----BEGIN CERTIFICATE-----MIIDETCCAfm..."
cert_obj = load_pem_x509_certificate(cert_str)
public_key = cert_obj.public_key()
private_key = cert_obj.private_key()

Source: https://pyjwt.readthedocs.io/en/stable/faq.html

Clearstory answered 8/7, 2022 at 15:47 Comment(0)
P
0

For me, there were spaces in the key (silly IDE) which caused this issue, make sure that's not the case with you

Pentagram answered 28/8, 2020 at 5:17 Comment(0)
T
0

save the public key into the file and pass the path and use that.

  1. public_key = open(path).read()
  2. payload = jwt.decode(token, public_key, algorithms=['RS256'])
Teddman answered 17/5, 2022 at 11:42 Comment(0)
G
0

For me what worked was setting the jwt verify signature to false:

import jwt 

token = st_javascript('''localStorage.getItem("some_token")''') # fetch your token of interest
decoded = jwt.decode(token, options={"verify_signature": False}) # decode the token

Note: This bypasses JWT verification and should only be used if you don't care wether the JWT is cryptographically invalid or valid.

For more info you can view the jwt documentation.

Gothard answered 4/5, 2023 at 15:39 Comment(0)
C
0

If you have the JWKS url of your Authorization Server. Reference Use dynamic keys

from authlib.jose import jwt

response = requests.get('http://localhost:9090/oauth2/jwks')
response = response.json()
    
claims = jwt.decode(encoded, response)
print("claims validate:", claims.validate())
print("claims:", claims)

I tried manually passing the Public key to jwt.decode() and with pyjwt as well.

Courtly answered 24/4 at 10:4 Comment(0)
M
0

You have to escape the \n characters:

# Replace \n with actual newlines
api_secret = api_secret.replace("\\n", "\n")

print(f"API Key: {api_key}")
print(f"API Secret: {api_secret}")
Mislead answered 21/5 at 23:1 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.