Why token with kid should be decoded twice?

[Reskov]

decoding and verifying JWT token with kid need token to be loaded and parsed twice. First to get headers and thereafter to verify signature.

headers = jwt.get_unverified_header(token) # parse token
kid = headers["kid"]
public_key = get_public_key(kid)

decoded = jwt.decode( # parse once more
    token,
    public_key,
    verify=True,
    algorithms=[self.alg],
    audience=valid_audiences,
    issuer=self.issuer,
)

Does it possible to eliminate unnecessary second parsing?

For example google-auth does not have such problem
https://github.com/googleapis/google-auth-library-python/blob/2c6ad78917e936f38f87c946209c8031166dc96e/google/auth/jwt.py#L197

[nigoroll]

I would argue that in particular with public key crypto, the duplicate parsing overhead is insignificant, but you are right: decode() could support passing a dict with key ids.
I would suggest to allow a list or dict also as the key argument:

• for a dict and jwt containing a kid, use the corresponding key
• otherwise and for a list try all keys.
  See also: Add multi key and key id support. Styria-Digital/django-rest-framework-jwt#33

@jpadilla I would prepare a PR for this, would this sound like a viable interface to you?

[jpadilla]

Have been working on v2 which includes some new primitives that aim to improve this. Feedback is welcome #470

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days