# Let's have a look at a dummy JWT taken from https://jwt.io

In [13]:
DUMMY_JWT = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.S_bjg_r4RH-OEeBl8MDB321ZARb0OaKzpQajdIAHQ-Q'

It is a string of 3 base64 encoded parts which are
* HEADER - JSON
* PAYLOD - JSON
* SIGNATURE - BINARY

In [14]:
import base64
HEADER, PAYLOAD, SIGNATURE = DUMMY_JWT.split('.')

# base64 decode the parts
HEADER = base64.b64decode(HEADER + '==').decode('utf-8')
PAYLOAD = base64.b64decode(PAYLOAD + '==').decode('utf-8')
SIGNATURE = base64.b64decode(SIGNATURE + '==') # this is actually binary!!


In [15]:
import json

HEADER: dict = json.loads(HEADER)
PAYLOAD: dict = json.loads(PAYLOAD)
HEADER

{'alg': 'HS256', 'typ': 'JWT'}

So this is our header
```
{'alg': 'HS256', 'typ': 'JWT'}
```

AFAIK the only required attribute is `alg`, short for used encryption algoryhtm

# HS256
HS256 is a symmetric signing method

There is a secret which is used to sign the JWT
While the same secret is required to verify the JWT

In [16]:
import jwt

key='superSecret'

# generate a valid JWT
JWT = jwt.encode({'bla': 3, 'user': 'myself'}, key, algorithm='HS256')
JWT


'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJibGEiOjMsInVzZXIiOiJteXNlbGYifQ.JbOVYlb4WDC9PDmgL1iU5XYiLArQ5US71oTAuHzSXws'

In [17]:
# decode - while verifying the signature
jwt.decode(JWT, key=key, algorithms=['HS256'])


{'bla': 3, 'user': 'myself'}

## expiry
Cool works!

We can create a JWT and we can verify it.
Yet this JWT is valid *forever*

A common approach is to add an attribute `exp` for expires to the token

In [18]:
import time

expires = int(time.time()) + 3600

JWT = jwt.encode({'bla': 3, 'user': 'myself', 'exp': expires}, key, algorithm='HS256')
jwt.decode(JWT, key=key, algorithms=['HS256'])


{'bla': 3, 'user': 'myself', 'exp': 1695474981}

# Claims
See: https://www.iana.org/assignments/jwt/jwt.xhtml#claims

# RS256
HS256 is a symmetric algorythm. Anybody who wants to create a JWT needs the secret
Even worse - anyone who wants to verify a JWT also needs the same key
Even much worse - what about microservices, different departments or even other companies

RS256 is an assymmetic algorythm. Meaning there is a private key to create signatures and a public key for verification

Keypair can be generated by
```
openssl genrsa -out rsa.key 2048
openssl rsa -pubout -in rsa.key -out rsa.pub
```

In [19]:
# let's read the private key
import jwt
from pathlib import Path

# Only WE have the private key
private_key = Path('rsa.key')

encoded = jwt.encode({"some": "payload"}, private_key.read_text(), algorithm="RS256")
encoded

'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.agNB3_j1Nuj8YHY8s3xw5DeN9Ck7CIaAW8w8kbcPIsO_OB5SNqXFYpNQzITqoK5xbhxfVFwA37a6rksVtQcj7jA2zfd2RXB_n6DqFKV3H4xU21xVg4__0dhcrYy8uwOmQ7LSKmctvcUeYsYkwFUajpa4qK_EYNUYCxwvItuNn54I-xgEyn9GAWSd_vPnMPzE8g_APT1YlQ66cjIyVB1TisTbdI4YPLxJ92LM7zXHrh0Z41CpS81GntVqU1A70pa2P-OOZ_TBskgAHUzOfGYBqmLVSdPYndnR2omLRV1b7tMZ1_RMr_iJukmYfROd5qpYgiwjCf21qdBMUQ3Gu5YYBg'

In [20]:
# let's read the public key
import jwt
from pathlib import Path
public_key = Path('rsa.pub')

# While now we only have to give the public key to someone who wants to verify our signature. yay!
decoded = jwt.decode(encoded, key=public_key.read_text(), algorithms=["RS256"])
decoded


{'some': 'payload'}

# JWKS - JSON Web Keys
How do we distribute those public keys

## Well Known OpenID Connect Endpoint
Normally a JWT has a `claim` called `iss` for Issuer, which is a URL
e.g. for Google JWTs

```
{
    "iss": "https://accounts.google.com"
}
```

And by convention it's configuration can be found at

https://accounts.google.com/.well-known/openid-configuration

There is an Attribute `jwsk_uri` which points to the public keys offered by Google

"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"

In [21]:
# For the demo I use our Cognito DEV endpoints
# OpenID https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_GFUkBWPlH/.well-known/openid-configuration
# JWSK: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_GFUkBWPlH/.well-known/jwks.json

JWSK = {
    "keys": [
        {
            "alg":"RS256",
            "e":"AQAB",
            "kid":"sNUi6+2SM8XVTikoi3TAwlugnD8HiWzkwqRAGmkFJrM=",
            "kty":"RSA",
            "n":"rvGh-6AZagFrxQUCNCezzGMSDF9rBinY7RvxBO-cw7jmZFLKRzKmqVV7Ix8Nqzd5S0JC0ymG8dC3BmzCrerJOu0TIqmVlo3WGg5PXRfFVxJEI1G8rDQIFD6FTIRR1e2Ai8y180_cyQn8DatHwin8qnKPZhNOO0dQlqmbrSbFKppfyA611uGfc-YOwZCgw0rWm4uPpev0cG112HaGIwlowmwKTJViZmSYORxTih74yWnlPxIMq418sq79UgoKZEFHpfoV_K2ioIgNB_a5SvB7LHs_qwwyvdyiQgn1WQMreaxeu8vJInMMMDQ1BBASd7EF7RK-8o3xVMI4cc6GtM__mw",
            "use":"sig"
        },
        {
            "alg":"RS256",
            "e":"AQAB",
            "kid":"1O6iqB/FexYrhEX1NHGDa06M3Ca+eeYDuf58im9sVJE=",
            "kty":"RSA",
            "n":"1xNHymNzzNNR8nJgZMnz0a1_x6-IEDoCXBMf8pJXKJtOQHAD3bKrpZWnJoctXpCH1IWKxpIBIma6i0vbNwUrScJPR5wb2SJPIWxa7DXl8z8cjbdvmha1BH-ZQN5mM-glokNPeeocTKXkABMnnUyxOPyBgaTPp6jNdicmX876YHvpCFojETewiKJLuoLz2gV3H9-JlM1ArvH0su5bLln4NZJxolNEbumJgMWFTzUEvWMJ4OJdW3tOjvTOjhW4wrxqRyH8r5t2c4W2FU0rw3Spo62Ycg8g2JJkCv3DRKRrrJTGNapHkkKpI8pbPM_Dvb4nOWWPfiOpuWjUoB9EeT9kNw",
            "use":"sig"
        }
    ]
}



In [22]:
import jwt
MY_JWT = 'eyJraWQiOiIxTzZpcUJcL0ZleFlyaEVYMU5IR0RhMDZNM0NhK2VlWUR1ZjU4aW05c1ZKRT0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiODE4Y2RiMy05YWVlLTQyNjAtOTNmOC1mM2RjZWZiZDljNzIiLCJjb2duaXRvOmdyb3VwcyI6WyJzYS1lYXN0LTFfR0ZVa0JXUGxIX0dvb2dsZSIsImFkbWluIl0sImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC5zYS1lYXN0LTEuYW1hem9uYXdzLmNvbVwvc2EtZWFzdC0xX0dGVWtCV1BsSCIsInZlcnNpb24iOjIsImNsaWVudF9pZCI6IjR0aWQwNzFvZWQ4dnE2Ym5jYzdudnJsc3BzIiwib3JpZ2luX2p0aSI6ImUxMTc3N2NiLTliZWMtNDY2MC1hM2FkLWVlOTAwZmJmNTQxZiIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4gb3BlbmlkIHByb2ZpbGUgZW1haWwiLCJhdXRoX3RpbWUiOjE2OTUzODg3NjQsImV4cCI6MTY5NTM5MjM2NCwiaWF0IjoxNjk1Mzg4NzY0LCJqdGkiOiI2OTc0N2YxYS0yMzUxLTRmNzAtOTExOC0xYTY4M2UzMWRiOTEiLCJ1c2VybmFtZSI6Ikdvb2dsZV8xMTQxODgwODQ3NDQ0MzY2NTA1OTcifQ.VHWEjFTht4luP2rHd1Sr_sPziOLiao_xwe1NGwIfxg-Opb81pX8MQqqPKQJtT-aJAlyaGeHKc7sgh9pZV8jVWys4OSCvPirPK9oty7DY-fCtr__Pcs0T3At9GQ4raEFg4NHSK5nim5cOmK5qAqGntMS6zvw41rl_JQmhFypXbPdoQ9Y-1qmcgJCaPxrXblVamY_9IXAiHUmawgxZpMw3z6A0cQOPLr10NKkyPvMZZ2q29CXUqC0tUqyI64HZIQJTGqbkWQkh1FF1w8loCi8B3Fs8RZk8_FVpJViUqxhOeEqn-WFxK5phd-eTzwjJlhI30G-xDl0LsS14jTDdGUuyrQ'

HEADER = jwt.get_unverified_header(MY_JWT)
HEADER

{'kid': '1O6iqB/FexYrhEX1NHGDa06M3Ca+eeYDuf58im9sVJE=', 'alg': 'RS256'}

In [23]:
import jwt
jws = {
            "alg":"RS256",
            "e":"AQAB",
            "kid":"1O6iqB/FexYrhEX1NHGDa06M3Ca+eeYDuf58im9sVJE=", # <- matches the KID from my header
            "kty":"RSA",
            "n":"1xNHymNzzNNR8nJgZMnz0a1_x6-IEDoCXBMf8pJXKJtOQHAD3bKrpZWnJoctXpCH1IWKxpIBIma6i0vbNwUrScJPR5wb2SJPIWxa7DXl8z8cjbdvmha1BH-ZQN5mM-glokNPeeocTKXkABMnnUyxOPyBgaTPp6jNdicmX876YHvpCFojETewiKJLuoLz2gV3H9-JlM1ArvH0su5bLln4NZJxolNEbumJgMWFTzUEvWMJ4OJdW3tOjvTOjhW4wrxqRyH8r5t2c4W2FU0rw3Spo62Ycg8g2JJkCv3DRKRrrJTGNapHkkKpI8pbPM_Dvb4nOWWPfiOpuWjUoB9EeT9kNw",
            "use":"sig"
        }

# This is the actual public key

public_key = jwt.api_jwk.PyJWK.from_dict(jws, algorithm='RS256')
# jwt.decode(MY_JWT, key=public_key.key, algorithms=['RS256'])
jwt.decode(MY_JWT, key=public_key.key, algorithms=['RS256'],options={'verify_exp': False})

{'sub': 'b818cdb3-9aee-4260-93f8-f3dcefbd9c72',
 'cognito:groups': ['sa-east-1_GFUkBWPlH_Google', 'admin'],
 'iss': 'https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_GFUkBWPlH',
 'version': 2,
 'client_id': '4tid071oed8vq6bncc7nvrlsps',
 'origin_jti': 'e11777cb-9bec-4660-a3ad-ee900fbf541f',
 'token_use': 'access',
 'scope': 'aws.cognito.signin.user.admin openid profile email',
 'auth_time': 1695388764,
 'exp': 1695392364,
 'iat': 1695388764,
 'jti': '69747f1a-2351-4f70-9118-1a683e31db91',
 'username': 'Google_114188084744436650597'}