Security News
Cloudflare Adds Security.txt Setup Wizard
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
This library helps you verify tokens that have been issued by Okta. To learn more about verification cases and Okta's tokens please read Working With OAuth 2.0 Tokens
Requires Python version 3.6.0 or higher.
This library uses semantic versioning and follows Okta's Library Version Policy.
Version | Status |
---|---|
0.x | :heavy_check_mark: Beta Release |
The latest release can always be found on the releases page.
If you run into problems using the SDK, you can
To install Okta JWT Verifier Python:
pip install okta-jwt-verifier
This library was built to keep configuration to a minimum. To get it running at its most basic form, all you need to provide is the the following information:
/oauth2/default
. For example, https://dev-1234.oktapreview.com/oauth2/default
.api://default
, can be found on Authorization Servers tab.Following example will raise an JWTValidationException if Access Token is invalid:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier(issuer='{ISSUER}', audience='api://default')
await jwt_verifier.verify_access_token('{JWT}')
print('Token validated successfully.')
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
These examples will help you understand how to use this library.
Verify ID Token:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier(issuer='{ISSUER}', client_id='{CLIENT_ID}', audience='api://default')
await jwt_verifier.verify_id_token('{JWT}', nonce='{NONCE}')
print('Token validated successfully.')
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Note: parameter
nonce
is optional and required only if token was generated with nonce.
Another option - use class dedicated to ID tokens verification:
import asyncio
from okta_jwt_verifier import IDTokenVerifier
async def main():
jwt_verifier = IDTokenVerifier(issuer='{ISSUER}', client_id='{CLIENT_ID}', audience='api://default')
await jwt_verifier.verify('{JWT}', nonce='{NONCE}')
print('Token validated successfully.')
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Verify Access Token
import asyncio
from okta_jwt_verifier import AccessTokenVerifier
async def main():
jwt_verifier = AccessTokenVerifier(issuer='{ISSUER}', audience='api://default')
await jwt_verifier.verify('{JWT}')
print('Token validated successfully.')
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
It is possible to verify signature if JWK is provided (no async requests):
from okta_jwt_verifier import BaseJWTVerifier
def main():
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
jwt_verifier.verify_signature('{JWT}', {JWK})
main()
The following example shows how to receive JWK using async http request:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
headers, claims, signing_input, signature = jwt_verifier.parse_token({JWT})
okta_jwk = await self.get_jwk(headers['kid'])
# Then it can be used to verify_signature as in example above.
jwt_verifier.verify_signature('{JWT}', okta_jwk)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
It is possible to verify only given list of claims (no async requests):
from okta_jwt_verifier import BaseJWTVerifier
def main():
claims_to_verify = ['aud', 'iss']
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
headers, claims, signing_input, signature = jwt_verifier.parse_token({JWT})
jwt_verifier.verify_claims(claims, claims_to_verify)
main()
or token expiration only (no async requests):
from okta_jwt_verifier import BaseJWTVerifier
def main():
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
jwt_verifier.verify_expiration('{JWT}', leeway=0)
main()
v 0.2.0 allows to work via proxy:
# BaseJWTVerifier will be deprecated soon
jwt_verifier = BaseJWTVerifier(issuer='{ISSUER}', proxy='{PROXY}')
# The same for AccessTokenVerifier
jwt_verifier = AccessTokenVerifier(issuer='{ISSUER}', proxy='{PROXY}')
# or IDTokenVerifier
jwt_verifier = IDTokenVerifier(issuer='{ISSUER}', proxy='{PROXY}')
If token is invalid (malformed, expired, etc.), verifier will raise an exception JWTValidationException
:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
await jwt_verifier.verify_access_token(access_token)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Output (part of traceback removed for simplicity):
Traceback (most recent call last):
...
okta_jwt_verifier.exceptions.JWTValidationException: Signature has expired.
If configuration provided is invalid, verifier will raise an exception JWTInvalidConfigException
:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier('malformed_issuer.com', '{CLIENT_ID}', 'api://default')
await jwt_verifier.verify_access_token(access_token)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Output (part of traceback removed for simplicity):
Traceback (most recent call last):
...
okta_jwt_verifier.exceptions.JWTInvalidConfigException: Your Okta URL must start with 'https'.
If JWK is invalid, verifier will raise an exception JWKException
:
import asyncio
from okta_jwt_verifier import BaseJWTVerifier
async def main():
jwt_verifier = BaseJWTVerifier('{ISSUER}', '{CLIENT_ID}', 'api://default')
await jwt_verifier.verify_access_token(access_token)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
Output (part of traceback removed for simplicity):
Traceback (most recent call last):
...
okta_jwt_verifier.exceptions.JWKException: No matching JWK.
We're happy to accept contributions and PRs! Please see the Contribution Guide to understand how to structure a contribution.
FAQs
A Python library for OKTA JWT tokens validation
We found that okta-jwt-verifier demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.
Security News
The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.
Security News
ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.