Let the unverified paylod be read

[frtrotta]

Use case

The JWT is signed with RS256 algorithm and contains the kid claim.
The corresponding key is not available, but it can be obatined via a public endpoint.

Issue

How to access the unverified payload as to read the kid claim, to obtain the key for subsequent verification?

[simo5]

given a JWT you can do this:

from jwcrypto import jwt, jws
Token = 'eyJhbGciOiJIUzI1NiIsImtpZCI6Il8yRmZjZ1BJZjFnYlA4bVp5eXUwV2YxcnhMQWNPRUFMa29ELXdIS1E1NVEifQ.eyJpbmZvIjoiSSdtIGEgc2lnbmVkIHRva2VuIn0.Z7A0Dlc_SncDvNp4fcPp3qfxzm_u7TfjJVTHage7NMc'

jwtok = jwt.JWT(jwt=Token)
if isinstance(jwtok.token, jws.JWS):
    kid = jwtok.token.jose_header.get('kid')
if kid:
   # fetch key
   # and then either
   jwtok.token.verify(key)
   # or regenerate with
   jwtok = jwt.JWT(jwt=Token, key=key)