Decode nested JWT with Python

24 views

Skip to first unread message

William E.

unread,

Dec 6, 2018, 12:31:28 AM12/6/18

to CAS Community

Has anyone tried to parse the nested JWT, JWS + JWE, produced by CAS 5.x? If so, would you mind posting a snippet please? I've read that the python-jose library can check signatures but not decrypt the payload. Been trying to use jwcrypto but can't seem to get the step put together in the correct order. Admittedly, I am very new to python and may be just making newbie mistakes.

My understanding is the JWT from cas is header + encrypted payload with signature of these two combined, then all base64 encoded. Using this doc showing java decode/decrypt as a guide:

https://apereo.github.io/cas/development/installation/Configure-ServiceTicket-JWT.html#jwt-validation---aes

Our cas settings are as follows, keys omitted below.

cas.authn.token.crypto.signing.keySize=512

cas.authn.token.crypto.encryption.keySize=256

cas.authn.token.crypto.alg=AES

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

My feeble attempts so far look something like this:

import base64

from jwcrypto import jwk, jwe, jws, jwt

from jwcrypto.common import json_encode, json_decode

token = 'eyJhbGciOiJIUzUxMiJ9.ZX....' # the base64 jwt

signKey = jwk.JWK(kty='oct', k=signkeyStr)

encKey = jwk.JWK(kty='oct', k=enckeyStr)

E = jwe.JWE()

# deserialize and decrypt

E.deserialize(token)

E.decrypt(encKey)

raw_payload = E.payload

Which results in:

........

File "/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 348, in loads

return _default_decoder.decode(s)

File "/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 337, in decode

obj, end = self.raw_decode(s, idx=_w(s, 0).end())

File "/usr/local/Cellar/python/3.7.1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 355, in raw_decode

raise JSONDecodeError("Expecting value", s, err.value) from None

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

........

jwcrypto.jwe.InvalidJWEData: Unknown Data Verification Failure

........

jwcrypto.jwe.InvalidJWEData: Invalid format {InvalidJWEData('Unknown Data Verification Failure')}

Thanks,

William

Reply all

Reply to author

Forward

0 new messages