JSON Web Tokens in Python
My previous article introduced a Node.js module, node-jsjws, for performant generation and verification of JSON Web Signatures and JSON Web Tokens.
Brian J Brennan's python-jws is a nice module for generating and verifying JSON Web Signatures in Python. I've already written some unit tests for node-jsjws which show that the JSON Web Signatures it generates can be verified by python-jws and vice versa.
Note that I had to make some minor changes to python-jws in order to add support for the RSASSA-PSS signature algorithms (PS256, PS384 and PS512).
Interoperability between node-jsjws and python-jws is useful because it means a Web site written in Python can send a JSON Web Signature to another site running on Node.js, for example.
I wanted to be able to do the same with JSON Web Tokens: send a token from a site running on Google App Engine, for example, to a service running on Node.js.
Introducing python-jwt
python-jws does have a JWT example, minijwt, but as its name suggests it's a limited implementation of JSON Web Tokens.
I've added the following things to the JWT header and turned minijwt into a standalone module, python-jwt:
- Expiry date and time of the token (exp).
- Date and time at which the token was generated (iat).
- Date and time from which the token is generated (nbf).
- A unique identifier for the token (jti).
exp, iat and nbf are checked against the current time when a token is verified.
I also added support for the none signature algorithm (i.e. an empty signature).
Example
Here's a simple example using a key generated by PyCrypto:
import jwt, Crypto.PublicKey.RSA as RSA, datetime
key = RSA.generate(2048)
payload = { 'foo': 'bar', 'wup': 90 };
token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(minutes=5))
header, claims = jwt.verify_jwt(token, key)
for k in payload: assert claims[k] == payload[k]
The expiry time of the token is set to 5 minutes.
The API documentation is linked to from the python-jwt homepage. python-jwt comes with a full set of unit tests (including interoperability with node-jsjws) and some benchmarks.
I've decided not to compare benchmark results with node-jsjws because I don't want to get into comparing Node.js with Python.
blog comments powered by Disqus
