You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Backend decodes this token and uses payload to get user data.
But if token is expired, I only get 401 error from backend indicating that token is invalid. This is not very good in terms if UX/DX.
How can I check that token is expired or malformed before it will be send to backend? To both show user a proper message on client side, and to raise exception of specific type (e.g. TokenExpiredError) which can be handled by developer.
Also without passing AuthlibToken.from_dict({"expires_at": ...}) authlib cannot detect that token is expired and another token should be issued instead (if using refresh_token, client_credentials and so on to automatically issue new access_token after expiration).
Currently the only way I could implement this is using python-jose:
jwt.decode raises an exception jose.exceptions.ExpiredSignatureError: Signature has expired. Passing "verify_signature": False allows to decode token without checking its signature (which client cannot know in this case, secret key is private and used by backend only).
But they both raise authlib.jose.errors.BadSignatureError: bad_signature: because I didn't provide corresponding secret key to validate signature (which is intentional).
I also cannot pass algorithms=["NONE"] to any of those classes constructor to use key=None because real algorithm is determined using token content, and if it is not present in algorithms list an exception is raised authlib.jose.errors.UnsupportedAlgorithmError: unsupported_algorithm:.
So is there any way to check if token is expired without checking the signature?
The text was updated successfully, but these errors were encountered:
dolfinus
changed the title
How to check for JWT expiration without checking the signature
How to check for JWT expiration without checking the signature?
Dec 23, 2023
Hi.
I'm using authlib in Python client for a REST API implementing OAuth 2.0. Usage is simple as:
Method
whoami
sends request to backend. It is usingauthlib.integrations.requests_client.OAuth2Session
to wrap all auth interaction:Backend decodes this token and uses payload to get user data.
But if token is expired, I only get 401 error from backend indicating that token is invalid. This is not very good in terms if UX/DX.
How can I check that token is expired or malformed before it will be send to backend? To both show user a proper message on client side, and to raise exception of specific type (e.g.
TokenExpiredError
) which can be handled by developer.Also without passing
AuthlibToken.from_dict({"expires_at": ...})
authlib cannot detect that token is expired and another token should be issued instead (if using refresh_token, client_credentials and so on to automatically issue new access_token after expiration).Currently the only way I could implement this is using python-jose:
jwt.decode
raises an exceptionjose.exceptions.ExpiredSignatureError: Signature has expired
. Passing"verify_signature": False
allows to decode token without checking its signature (which client cannot know in this case, secret key is private and used by backend only).I've tried to use:
or
But they both raise
authlib.jose.errors.BadSignatureError: bad_signature:
because I didn't provide corresponding secret key to validate signature (which is intentional).I also cannot pass
algorithms=["NONE"]
to any of those classes constructor to usekey=None
because real algorithm is determined using token content, and if it is not present inalgorithms
list an exception is raisedauthlib.jose.errors.UnsupportedAlgorithmError: unsupported_algorithm:
.So is there any way to check if token is expired without checking the signature?
The text was updated successfully, but these errors were encountered: