jwt.exceptions.DecodeError: Not enough segments

[fredaas]

Problem description

pyjwt yields said error message when trying to decode an RS256-decoded ID token returned from our OIDC/Oauth token endpoint.

The signed JWT token is encoded using the following header/body:

jwt_header = {
    "x5c": [ jwt_cert ],
    "alg": "RS256"
}

jwt_payload = {
    "aud": config_idporten["aud"],
    "iss": config_idporten["client_id"],
    "iat": utc,
    "exp": utc + datetime.timedelta(seconds = config_idporten["jwt_delay"]),
    "jti": "client_jwt_id"
}

The token is then submitted to the token endpoint with the following payload:

payload = {
    "client_id": config_idporten["client_id"],
    "grant_type": "authorization_code",
    "code": authorization_response["code"],
    "redirect_uri": config_idporten["redirect_login"],
    "client_assertion_type": config_idporten["client_assertion_type"],
    "client_assertion": jwt_token
}

Trying to decode the returned ID token with the code shown bellow triggers an exception within pyjwt.

try:
    jwt_decoded_id_token = jwt.decode(
        jwt_id_token,
        jwt_public_key,
        audience = config_idporten["aud"],
        algorithms = ["RS256"])
except (jwt.ExpiredSignatureError, jwt.InvalidAudienceError) as e:
    print("[ERROR]", e)

Further notes

Trying to decode the ID token at jwt.io yields the expected outcome, and the ID token consists of three elements. Therefore I'm curious as to why pyjwt complains about there not being enough elements.

Any tips and pointers in the right direction would be much appreciated!

[igor47]

having the same issue. did you ever figure out out?

[jpadilla]

Any chance we can get a full reproduction?

[Esquire-gh]

I had a similar issue and I realised that the jwt token wasn't being added as part of the request header. If you are using postman to make the requests, you could check if you are typing the token into the value section and not description.

[dedeco]

I'm having the same issue! ;-(

[dedeco]

Here some answer related to my problem: https://stackoverflow.com/questions/61436054/not-enough-segments-when-seding-a-get-message-with-bearer-token-authorization/61450588#61450588

[fredaas]

It's been a while since we solved this problem. I'll need to go back a take a look at the source, but if I remember correctly it had something to do with the jwt not being correctly formatted.

I'll post a more in-depth answer when I have time.

[radbahi]

pls get back to us on this. i'm having the same problem.

[christopherorea]

The problem is stated here and determines that Flask-JWT-extended requires a custom decorator. You just need to use a previous version and it will work without the decorator.

https://stackoverflow.com/questions/55917908/flask-jwt-extended-is-throwing-an-error-decoding-my-jwt-how-can-i-capture-it

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[codemaker2015]

The new version of flask-jwt-extended > 4.0.0 replaced @jwt_required with @jwt_required().

If you are using the latest version of flask-jwt-extended then use @jwt_required() and ensure that your JWT is valid.