JWT can't be verified

[agmezr]

I am trying to validate a JWT generated by Google IAP based on this example but it seems that verifying the token causes problems on the google.auth.jwt module

I created this token as an example using the tool in https://jwt.io::

from google.auth import jwt
token = 'eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkxZeVAyZyJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.OjJokSnHIdMxqTlpT055GJDe72-zoTZBE5NISmrDPx0dletHBTnlbl1wwr0EhWaxgKIesZ7N7eLd4XW-TgX-vA'
cert = '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----\n'
jwt.decode(token, certs=cert)

And got the following error:

/tests/jwt/google_auth/venv/lib/python3.5/site-packages/rsa/pem.py", line 92, in load_pem
    raise ValueError('No PEM start marker "%s" found' % pem_start)
ValueError: No PEM start marker "b'-----BEGIN RSA PUBLIC KEY-----'" found

It seems weird that the jwt module can't decode a token created with the EC256 algorithm since is the algorithm used by Google IAP.

Any idea of why this is happening?

Environment

• OS: GNU/Linux
• Python version: 3.5
• pip version: 19.1
• google-auth version: 1.6.3

Thanks!

[busunkim96]

We have an open pull request to add support for ES256: #157.

To add some context: At the time this library was written, there were no Google products that required ES256. With the launch of Cloud IAP, that has changed. We recommend you take the approach of the IAP documentation for Python and use the jwt library until support is added in google-auth.

Thank you!

[agmezr]

Thanks for your response, the problem is that I can't use the jwt library since I am using App Engine and Python 3 and this library won't work on app engine

[busunkim96]

Ah I see. Would the workaround here work for you?

@engelke Could you provide guidance on how to proceed?

[agmezr]

The problem with that workaround for me is that the security team won't allow me to use the ecda pure python library due to security concerns with that library

[busunkim96]

Hi @agmezr, could you confirm which version of App Engine you are using? You should be able to pyjwt (and other libraries using cryptography) if you are using the Python 3 runtime. Third party libraries with C extensions are only prohibited in the Python 2 runtime.

[agmezr]

I am using python 3.7 (runtime: python37 from my app.yaml file) , App Engine version is 1.9.71

[busunkim96]

In that case you should be able to use another library providing support for pyjwt. @engelke recently wrote a tutorial for IAP using App Engine for Python 3 and python-jose[cryptography]. The example code is here.

[agmezr]

I think that implementation relies on the ECDA pure python implementation. I have tried using that one and if I recall correctly when it verified a JWT it fallback to the ECDA python implementation:

try:
    from jose.backends.cryptography_backend import CryptographyECKey as ECKey  # noqa: F401
except ImportError:
    from jose.backends.ecdsa_backend import ECDSAECKey as ECKey  # noqa: F401

I might be wrong, I will do some tests