/usr/lib/python3/dist-packages/PyJWT-1.3.0.egg-info/PKG-INFO is in python3-jwt 1.3.0-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 | Metadata-Version: 1.1
Name: PyJWT
Version: 1.3.0
Summary: JSON Web Token implementation in Python
Home-page: http://github.com/jpadilla/pyjwt
Author: José Padilla
Author-email: hello@jpadilla.com
License: MIT
Description: # PyJWT
[![travis-status-image]][travis]
[![pypi-version-image]][pypi]
[![coveralls-status-image]][coveralls]
A Python implementation of [JSON Web Token draft 32][jwt-spec].
Original implementation was written by [@progrium][progrium].
## Installing
```
$ pip install PyJWT
```
**A Note on Dependencies**:
RSA and ECDSA signatures depend on the recommended `cryptography` package (0.8+). If you plan on
using any of those algorithms, you'll need to install it as well.
```
$ pip install cryptography
```
If you're system doesn't allow installing `cryptography` like on Google App Engine, you can install `PyCrypto` for RSA signatures and `ecdsa` for ECDSA signatures.
## Usage
```python
>>> import jwt
>>> encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256')
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.4twFt5NiznN84AWoo1d7KO1T_yoc0Z6XOpOVswacPZg'
```
Additional headers may also be specified.
```python
>>> jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256', headers={'kid': '230498151c214b788dd97f22b85410a5'})
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjIzMDQ5ODE1MWMyMTRiNzg4ZGQ5N2YyMmI4NTQxMGE1In0.eyJzb21lIjoicGF5bG9hZCJ9.DogbDGmMHgA_bU05TAB-R6geQ2nMU2BRM-LnYEtefwg'
```
Note the resulting JWT will not be encrypted, but verifiable with a secret key.
```python
>>> jwt.decode(encoded, 'secret', algorithms=['HS256'])
{u'some': u'payload'}
```
If the secret is wrong, it will raise a `jwt.DecodeError` telling you as such.
You can still get the payload by setting the `verify` argument to `False`.
```python
>>> jwt.decode(encoded, verify=False)
{u'some': u'payload'}
```
The `decode()` function can raise other exceptions, e.g. for invalid issuer or
audience (see below). All exceptions that signify that the token is invalid
extend from the base `InvalidTokenError` exception class, so applications can
use this approach to catch any issues relating to invalid tokens:
```python
try:
payload = jwt.decode(encoded)
except jwt.InvalidTokenError:
pass # do something sensible here, e.g. return HTTP 403 status code
```
You may also override exception checking via an `options` dictionary. The default
options are as follows:
```python
options = {
'verify_signature': True,
'verify_exp': True,
'verify_nbf': True,
'verify_iat': True,
'verify_aud': True
}
```
You can skip individual checks by passing an `options` dictionary with certain keys set to `False`.
For example, if you want to verify the signature of a JWT that has already expired.
```python
>>> options = {
>>> 'verify_exp': True,
>>> }
>>> jwt.decode(encoded, 'secret', options=options)
{u'some': u'payload'}
```
**NOTE**: *Changing the default behavior is done at your own risk, and almost certainly will make your
application less secure. Doing so should only be done with a very clear understanding of what you
are doing.*
## Tests
You can run tests from the project root after cloning with:
```
$ python setup.py test
```
## Algorithms
The JWT spec supports several algorithms for cryptographic signing. This library
currently supports:
* HS256 - HMAC using SHA-256 hash algorithm (default)
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* ES256 - ECDSA signature algorithm using SHA-256 hash algorithm
* ES384 - ECDSA signature algorithm using SHA-384 hash algorithm
* ES512 - ECDSA signature algorithm using SHA-512 hash algorithm
* RS256 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-256 hash algorithm
* RS384 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-384 hash algorithm
* RS512 - RSASSA-PKCS1-v1_5 signature algorithm using SHA-512 hash algorithm
* PS256 - RSASSA-PSS signature using SHA-256 and MGF1 padding with SHA-256
* PS384 - RSASSA-PSS signature using SHA-384 and MGF1 padding with SHA-384
* PS512 - RSASSA-PSS signature using SHA-512 and MGF1 padding with SHA-512
### Encoding
You can specify which algorithm you would like to use to sign the JWT
by using the `algorithm` parameter:
```python
>>> encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS512')
'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.WTzLzFO079PduJiFIyzrOah54YaM8qoxH9fLMQoQhKtw3_fMGjImIOokijDkXVbyfBqhMo2GCNu4w9v7UXvnpA'
```
### Decoding
When decoding, you can specify which algorithms you would like to permit
when validating the JWT by using the `algorithms` parameter which takes a list
of allowed algorithms:
```python
>>> jwt.decode(encoded, 'secret', algorithms=['HS512', 'HS256'])
{u'some': u'payload'}
```
In the above case, if the JWT has any value for its alg header other than
HS512 or HS256, the claim will be rejected with an `InvalidAlgorithmError`.
### Asymmetric (Public-key) Algorithms
Usage of RSA (RS\*) and EC (EC\*) algorithms require a basic understanding
of how public-key cryptography is used with regards to digital signatures.
If you are unfamiliar, you may want to read
[this article](http://en.wikipedia.org/wiki/Public-key_cryptography).
When using the RSASSA-PKCS1-v1_5 algorithms, the `key` argument in both
`jwt.encode()` and `jwt.decode()` (`"secret"` in the examples) is expected to
be either an RSA public or private key in PEM or SSH format. The type of key
(private or public) depends on whether you are signing or verifying.
When using the ECDSA algorithms, the `key` argument is expected to
be an Elliptic Curve public or private key in PEM format. The type of key
(private or public) depends on whether you are signing or verifying.
## Support of registered claim names
JSON Web Token defines some registered claim names and defines how they should
be used. PyJWT supports these registered claim names:
- "exp" (Expiration Time) Claim
- "nbf" (Not Before Time) Claim
- "iss" (Issuer) Claim
- "aud" (Audience) Claim
- "iat" (Issued At) Claim
### Expiration Time Claim
From [the JWT spec][jwt-spec-reg-claims]:
> The "exp" (expiration time) claim identifies the expiration time on
> or after which the JWT MUST NOT be accepted for processing. The
> processing of the "exp" claim requires that the current date/time
> MUST be before the expiration date/time listed in the "exp" claim.
> Implementers MAY provide for some small leeway, usually no more than
> a few minutes, to account for clock skew. Its value MUST be a number
> containing a NumericDate value. Use of this claim is OPTIONAL.
You can pass the expiration time as a UTC UNIX timestamp (an int) or as a
datetime, which will be converted into an int. For example:
```python
jwt.encode({'exp': 1371720939}, 'secret')
jwt.encode({'exp': datetime.utcnow()}, 'secret')
```
Expiration time is automatically verified in `jwt.decode()` and raises
`jwt.ExpiredSignatureError` if the expiration time is in the past:
```python
import jwt
try:
jwt.decode('JWT_STRING', 'secret')
except jwt.ExpiredSignatureError:
# Signature has expired
```
Expiration time will be compared to the current UTC time (as given by
`timegm(datetime.utcnow().utctimetuple())`), so be sure to use a UTC timestamp
or datetime in encoding.
You can turn off expiration time verification with the `verify_exp` parameter in the options argument.
PyJWT also supports the leeway part of the expiration time definition, which
means you can validate a expiration time which is in the past but not very far.
For example, if you have a JWT payload with a expiration time set to 30 seconds
after creation but you know that sometimes you will process it after 30 seconds,
you can set a leeway of 10 seconds in order to have some margin:
```python
import datetime
import time
import jwt
jwt_payload = jwt.encode({
'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=30)
}, 'secret')
time.sleep(32)
# JWT payload is now expired
# But with some leeway, it will still validate
jwt.decode(jwt_payload, 'secret', leeway=10)
```
Instead of specifying the leeway as a number of seconds, a `datetime.timedelta`
instance can be used. The last line in the example above is equivalent to:
```python
jwt.decode(jwt_payload, 'secret', leeway=datetime.timedelta(seconds=10))
```
### Not Before Time Claim
> The "nbf" (not before) claim identifies the time before which the JWT
> MUST NOT be accepted for processing. The processing of the "nbf"
> claim requires that the current date/time MUST be after or equal to
> the not-before date/time listed in the "nbf" claim. Implementers MAY
> provide for some small leeway, usually no more than a few minutes, to
> account for clock skew. Its value MUST be a number containing a
> NumericDate value. Use of this claim is OPTIONAL.
The `nbf` claim works similarly to the `exp` claim above.
```python
jwt.encode({'nbf': 1371720939}, 'secret')
jwt.encode({'nbf': datetime.utcnow()}, 'secret')
```
### Issuer Claim
> The "iss" (issuer) claim identifies the principal that issued the
> JWT. The processing of this claim is generally application specific.
> The "iss" value is a case-sensitive string containing a StringOrURI
> value. Use of this claim is OPTIONAL.
```python
import jwt
payload = {
'some': 'payload',
'iss': 'urn:foo'
}
token = jwt.encode(payload, 'secret')
decoded = jwt.decode(token, 'secret', issuer='urn:foo')
```
If the issuer claim is incorrect, `jwt.InvalidIssuerError` will be raised.
### Audience Claim
> The "aud" (audience) claim identifies the recipients that the JWT is
> intended for. Each principal intended to process the JWT MUST
> identify itself with a value in the audience claim. If the principal
> processing the claim does not identify itself with a value in the
> "aud" claim when this claim is present, then the JWT MUST be
> rejected. In the general case, the "aud" value is an array of case-
> sensitive strings, each containing a StringOrURI value. In the
> special case when the JWT has one audience, the "aud" value MAY be a
> single case-sensitive string containing a StringOrURI value. The
> interpretation of audience values is generally application specific.
> Use of this claim is OPTIONAL.
```python
import jwt
payload = {
'some': 'payload',
'aud': 'urn:foo'
}
token = jwt.encode(payload, 'secret')
decoded = jwt.decode(token, 'secret', audience='urn:foo')
```
If the audience claim is incorrect, `jwt.InvalidAudienceError` will be raised.
### Issued At Claim
> The iat (issued at) claim identifies the time at which the JWT was issued.
> This claim can be used to determine the age of the JWT. Its value MUST be a
> number containing a NumericDate value. Use of this claim is OPTIONAL.
If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception
will be raised.
```python
jwt.encode({'iat': 1371720939}, 'secret')
jwt.encode({'iat': datetime.utcnow()}, 'secret')
```
## Frequently Asked Questions
**How can I extract a public / private key from a x509 certificate?**
The `load_pem_x509_certificate()` function from `cryptography` can be used to
extract the public or private keys from a x509 certificate in PEM format.
```python
from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend
cert_str = "-----BEGIN CERTIFICATE-----MIIDETCCAfm..."
cert_obj = load_pem_x509_certificate(cert_str, default_backend())
public_key = cert_obj.public_key()
private_key = cert_obj.private_key()
```
[travis-status-image]: https://secure.travis-ci.org/jpadilla/pyjwt.png?branch=master
[travis]: http://travis-ci.org/jpadilla/pyjwt?branch=master
[pypi-version-image]: https://pypip.in/version/pyjwt/badge.svg
[pypi]: https://pypi.python.org/pypi/pyjwt
[coveralls-status-image]: https://coveralls.io/repos/jpadilla/pyjwt/badge.svg?branch=master
[coveralls]: https://coveralls.io/r/jpadilla/pyjwt?branch=master
[jwt-spec]: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
[jwt-spec-reg-claims]: http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedClaimName
[progrium]: https://github.com/progrium
Keywords: jwt json web token security signing
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Topic :: Utilities
|