Search code examples
pythonjwtpython-cryptographypyjwt

PyJWT decoding showing error "The specified alg value is not allowed" for 'RS512' even if it is listed in supported algorithms


I'm calling the decode function like that:

payload = jwt.decode(token,
                     cert['key'],
                     algorithms=['RS512'],
                     audience=aud,
                     leeway=0,
               
                     )

The error I m having:

File "/usr/local/lib/python3.9/site-packages/jwt/api_jws.py", line 292, in _verify_signature
raise InvalidAlgorithmError("The specified alg value is not allowed")

jwt.exceptions.InvalidAlgorithmError: The specified alg value is not allowed

The crypto extra is installed via poetry in pyproject.toml:

 PyJWT =  {version = "^2.5.0", extras = ["crypto"]}
 cryptography = "^38.0.2"

The listing of supported algorithms listed the algorithm "RS512":

get_default_algorithms().keys()

giving

(['none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES256K', 'ES384', 'ES521', 'ES512', 'PS256', 'PS384', 'PS512', 'EdDSA']

Anyone who has this problem before?


Solution

  • Because the error can have different causes, I suggest checking the error line message _verify_signature in which it indicates that the signature can not be verified as indicated in the documentation and in this post

    >>> jwt.decode(encoded, options={"verify_signature": False})
    {'some': 'payload'}
    

    ...

    >>> jwt.get_unverified_header(encoded)
    {'alg': 'RS512'}