34

I am using pyjwt library for decoding the JWT token. I got this error when I am decoding. The code was given in the documantation.

import jwt

encoded_jwt='''eyJ0eXAiOiJKV1QiLCJhbG......'''
secret=b''''-----BEGIN PUBLIC KEY-----
MIIFRjCCBC6gAwIBAgIQCIdSGhpikQCjOIY154XoqzANBgkqhkiG9w0BAQsFADBN
......
-----END PUBLIC KEY-----'''

print(jwt.decode(encoded_jwt, secret , algorithms=['RS256']))

raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

Could You please help me in resolving it beacuse when I use this it in the JWT website it's working.

This is the full error log..

Traceback (most recent call last): File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/algorithms.py", line 205, in prepare_key key = load_pem_private_key(key, password=None, backend=default_backend()) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/primitives/serialization.py", line 20, in load_pem_private_key return backend.load_pem_private_key(data, password) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1014, in load_pem_private_key password, File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1233, in _load_key self._handle_key_loading_error() File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1291, in _handle_key_loading_error raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/sathiyakugan/PycharmProjects/JWTsample/sample.py", line 45, in print(jwt.decode(encoded_jwt, secret , algorithms=['RS256'])) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jwt.py", line 93, in decode jwt, key=key, algorithms=algorithms, options=options, **kwargs File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jws.py", line 157, in decode key, algorithms) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/api_jws.py", line 221, in _verify_signature key = alg_obj.prepare_key(key) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/jwt/algorithms.py", line 207, in prepare_key key = load_pem_public_key(key, backend=default_backend()) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key return backend.load_pem_public_key(data) File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1040, in load_pem_public_key self._handle_key_loading_error() File "/home/sathiyakugan/PycharmProjects/Python/venv/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1291, in _handle_key_loading_error raise ValueError("Could not deserialize key data.") ValueError: Could not deserialize key data.

Process finished with exit code 1

Improve this question
2
  • 1
    @stovfl No it's different problem Commented Nov 16, 2018 at 15:15
  • 3
    You appear to have a typo. One extra apostrophe in your public key, right at the start. Commented May 18, 2020 at 17:40

14 Answers 14

Reset to default
23

If you get this error double check your public key is exactly right, new lines are important.

key = '''-----BEGIN PUBLIC KEY-----
<main key here>
-----END PUBLIC KEY-----'''
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is really helpful, it should have been the accepted answer.
17

It's a good idea to use your RSA keys with OpenSSL:

openssl genrsa -out jwt-key 4096
openssl rsa -in jwt-key -pubout > jwt-key.pub

Reference: link

Updated Text:

It seems you're encountering a key deserialization problem with the PyJWT library. This issue often arises from an incompatible or incorrectly formatted key. To resolve this, I suggest generating a new RSA key pair using OpenSSL. Here's a step-by-step explanation:

  1. Generating the RSA Private Key:

    • Command: openssl genrsa -out jwt-key 4096
    • This command uses OpenSSL to create an RSA private key.
    • genrsa generates the RSA key.
    • -out jwt-key defines the output filename for the private key.
    • 4096 is the key size, offering a balance between security and performance.

  2. Extracting the Public Key:

    • Command: openssl rsa -in jwt-key -pubout > jwt-key.pub
    • This command extracts the public key from the generated private key.
    • -in jwt-key specifies the input file, the private key from the first step.
    • -pubout signals the extraction of the public key.
    • jwt-key.pub is where the public key will be saved.

By using these commands, you'll generate a new RSA key pair. The private key (jwt-key) is for signing the JWT, and the public key (jwt-key.pub) is for verifying the signature. Remember to securely store the private key and only share the public key.

After generating these keys, update your Python code to use the new keys, ensuring the public key is read in the format expected by the PyJWT library. This approach should solve the deserialization issue with your current key.

Improve this answer

1 Comment

I had a similar issue and this was the solution for my problem. Thanks, and recommend answer (although I did not check the others)
16

Use the authlib library, I never managed to decode keycloak tokens with pyjwt. You need a public_key, I assume you have it.

from authlib.jose import jwt
key = '-----BEGIN PUBLIC KEY-----\n' + public_key + '\n-----END PUBLIC KEY-----'
key_binary = key.encode('ascii')

try:
    claims = jwt.decode(encoded,key_binary)
    claims.validate()
    #do some logic here
    #...

ProTip: you may grab the public key easily from your auth server (in my case Keycloak) at some endpoint:

url = 'http://localhost:8080/auth/realms/your_realm'
with  urllib.request.urlopen(url) as r:
    response = r.read()
    public_key = json.loads(response)['public_key']
Improve this answer

3 Comments

"I never managed to decode keycloak tokens with pyjwt" I'm late to the party here, but had a similar issue using pyjwt to validate JWTs from Keycloak. I finally realized it's because pyjwt is expecting the PUBLIC-KEY value only (not a full PEM certificate). I got it to work by converting the x509 cert which Keycloak provides into a PEM file (by wrapping it in "-----BEGIN/END CERTIFICATE-----" lines), and using the following openssl command to extract the PUBLIC-KEY value: openssl x509 -pubkey -noout -in certificate.pem. The resulting public key output then works with pyjwt.
FWIW: renzolucioni.com/verifying-jwts-with-jwks-and-pyjwt
This works for me.
11

How did you encode your jwt? Use one of the approaches below

Encoding & Decoding Tokens with RS256 (RSA)

encoded = jwt.encode({'some': 'payload'}, private_key, algorithm='RS256')
decoded = jwt.decode(encoded, public_key, algorithms='RS256')

Reading the Claimset without Validation

jwt.decode(encoded, verify=False)
{u'some': u'payload'}

Or use same secret to encode and decode the jwt, one of the approach should work. In my case I used jwt.decode(token, verify=False) because my server has already did the signature validation for me, I only need to get the claimset.

Improve this answer

3 Comments

This is not working for me, It says ValueError: Could not deserialize key data. on encoding data.
Which one is not working for you the decode method with a public key or without the public key
In my case the issue was with encoding, we can encode with the above flow but we need to load private key properly, I found this on : github.com/jpadilla/pyjwt/issues/320, after this I was able to do encode and decode.
10

There are some issues in the pyjwt library. and you must get the public key from the certificate.

I used openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

then from the public key I could easily decode it using authlib library.

from authlib.specs.rfc7519 import jwt

encoded_jwt='''eyJ0eXAiOiJ....'''
secret=b'''-----BEGIN PUBLIC KEY-----
......
-----END PUBLIC KEY-----'''
claims = jwt.decode(encoded_jwt, secret)
print(claims)
Improve this answer

Comments

4

For pyjwt 2.8.0, it worked for me when using options={"verify_signature": False} instead of verify=False

jwt.decode(token.encode(), options={"verify_signature": False})
Improve this answer

Comments

2

MacOS Catalina 10.15.4 Python 2.7.16.

This solved the problem in my case

pip install cryptography==2.3
Improve this answer

Comments

1

If the problem was the fact that you are using certificate you can just extract public / private key from the certificate:

from cryptography.x509 import load_pem_x509_certificate

cert_str = b"-----BEGIN CERTIFICATE-----MIIDETCCAfm..."
cert_obj = load_pem_x509_certificate(cert_str)
public_key = cert_obj.public_key()
private_key = cert_obj.private_key()

Source: https://pyjwt.readthedocs.io/en/stable/faq.html

Improve this answer

Comments

0

For me, there were spaces in the key (silly IDE) which caused this issue, make sure that's not the case with you

Improve this answer

Comments

0

save the public key into the file and pass the path and use that.

  1. public_key = open(path).read()
  2. payload = jwt.decode(token, public_key, algorithms=['RS256'])
Improve this answer

Comments

0

For me what worked was setting the jwt verify signature to false:

import jwt 

token = st_javascript('''localStorage.getItem("some_token")''') # fetch your token of interest
decoded = jwt.decode(token, options={"verify_signature": False}) # decode the token

Note: This bypasses JWT verification and should only be used if you don't care wether the JWT is cryptographically invalid or valid.

For more info you can view the jwt documentation.

Improve this answer

Comments

0

If you have the JWKS url of your Authorization Server. Reference Use dynamic keys

from authlib.jose import jwt

response = requests.get('http://localhost:9090/oauth2/jwks')
response = response.json()
    
claims = jwt.decode(encoded, response)
print("claims validate:", claims.validate())
print("claims:", claims)

I tried manually passing the Public key to jwt.decode() and with pyjwt as well.

Improve this answer

Comments

0

You have to escape the \n characters:

# Replace \n with actual newlines
api_secret = api_secret.replace("\\n", "\n")

print(f"API Key: {api_key}")
print(f"API Secret: {api_secret}")
Improve this answer

Comments

0

I am stumbled upon this problem today for creating the JWT for Google Wallet Service and all the examples here are not complete so I have written this piece of code and it works on my side.

import jwt
import time

iat = time.time()
exp = iat + 3600

secret='''-----BEGIN PRIVATE KEY-----
PASTE HERE THE PRIVATE KEY FROM THE CREDENTIALS.JSON FILE DOWNLOADED FROM GOOGLE CLOUD
-----END PRIVATE KEY-----'''


payload = {
  "iss": "[email protected]",
  "sub": "[email protected]",
  "aud": "https://walletobjects.googleapis.com/",
  "iat": iat,
  "exp": exp
 }
           
additional_headers = {'kid': 'YOUR PRIVATE KEY ID'}
signed_jwt = jwt.encode(payload, secret, headers=additional_headers,
                       algorithm='RS256')
                       
print(signed_jwt)

Remember to execute the code by shell:

python nameofyourfile
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.