Fix: InvalidAlgorithmError: The specified alg value is not allowed while trying to decode encoded jwt token in Python
I'm trying to decode a token I have received from an authorization service. The problem is when I try to decode it I get InvalidAlgorithmError: the specified alg value is not allowed.
When you look at the following image below. I can decode the token from the jwt.io site and view the payload.
I'm using the PyJwt library. Below you will find my implementation.
Decoded token in the jwt.io site
Implementation
import jwt
encoded = "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJERVZFTE9QRVIiLCJ1c2VyZnVsbG5hbWUiOiJFcmljIE0gS2FyaW1pIiwidXNlcm5hbWUiOiJlcmljIiwidXNlcmlkIjoiMjkiLCJleHAiOjE1NzM0ODE0MzIsImlzcyI6IkVyaWMiLCJhdWQiOiJSZWFkZXJzIn0.tTQckIZGYNHE667NXrxT4YwT4DNZ01u3P3b3IMFyWR4"
key = "somekeyrequiredtodecode"
decoded = jwt.decode(encoded,key, algorithms=['HS256'])
Full StackTrace
~/Desktop/APIs/ncc-api/env/lib/python3.6/site-packages/jwt/api_jws.py in decode(self, jwt, key, verify, algorithms, options, **kwargs)
154 elif verify_signature:
155 self._verify_signature(payload, signing_input, header, signature,
--> 156 key, algorithms)
157
158 return payload
~/Desktop/APIs/ncc-api/env/lib/python3.6/site-packages/jwt/api_jws.py in _verify_signature(self, payload, signing_input, header, signature, key, algorithms)
214
215 if algorithms is not None and alg not in algorithms:
--> 216 raise InvalidAlgorithmError('The specified alg value is not allowed')
217
218 try:
InvalidAlgorithmError: The specified alg value is not allowed
In [7]: v = jwt.decode(key, s, algorithms=['HS256'])
---------------------------------------------------------------------------
InvalidAlgorithmError Traceback (most recent call last)
<ipython-input-7-a9465dfcaa4b> in <module>
----> 1 v = jwt.decode(key, s, algorithms=['HS256'])
~/Desktop/APIs/ncc-api/env/lib/python3.6/site-packages/jwt/api_jwt.py in decode(self, jwt, key, verify, algorithms, options, **kwargs)
90
91 decoded = super(PyJWT, self).decode(
---> 92 jwt, key=key, algorithms=algorithms, options=options, **kwargs
93 )
94
~/Desktop/APIs/ncc-api/env/lib/python3.6/site-packages/jwt/api_jws.py in decode(self, jwt, key, verify, algorithms, options, **kwargs)
154 elif verify_signature:
155 self._verify_signature(payload, signing_input, header, signature,
--> 156 key, algorithms)
157
158 return payload
~/Desktop/APIs/ncc-api/env/lib/python3.6/site-packages/jwt/api_jws.py in _verify_signature(self, payload, signing_input, header, signature, key, algorithms)
214
215 if algorithms is not None and alg not in algorithms:
--> 216 raise InvalidAlgorithmError('The specified alg value is not allowed')
217
218 try:
InvalidAlgorithmError: The specified alg value is not allowed
Answer
In some (not recommended) cases you don't need to validate the signature. If this is your case, use:
jwt.decode(encoded_str, options={"verify_signature": False})
https://pyjwt.readthedocs.io/en/stable/usage.html#reading-the-claimset-without-validation