JWT Class

Properties Methods Events Configuration Settings Errors

Create, Sign, Encrypt, Verify and Decrypt JSON Web Tokens (JWTs).

Syntax

class ipworksauth.JWT

Remarks

The JWT class supports signing, encrypting, decrypting and verifying JSON Web Tokens (JWTs).

Specify a set of claims via the Claim* properties or add your own claims with add_claim. Call sign to create a signed JWT using a variety of signing algorithms including HMAC, RSA, and ECDSA. Use verify to verify the signature of any received JWT. See signing_algorithm for more details about supported algorithms.

Use encrypt to create an encrypted JWT using a variety of algorithms including ECDH, RSA, and AES. Use decrypt to decrypt the payload of any received JWT. See encryption_algorithm for more details about supported algorithms.

Signing

The sign method may be used to sign a payload with a variety of algorithms. Before calling the sign method set signing_algorithm to the algorithm which will be used to sign the message. The result of signing is a compact serialized JWT string. For instance:

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOlsiYXVkaWVuY2UiXSwiaXNzIjoiaXNzdWVyIn0.mlFETSma4WUcUSjNSUWA1n9QBcQHCkHN-y4zeBsCVqI

The class will use the values present in the Claim* properties to build the encoded JWT. After calling this method the encoded_jwt property will hold the compact serialized JWT. The following properties are applicable when calling this method:

signing_algorithm (required)
certificate (conditional - required for ECDSA and RSA)
key (conditional - required for HMAC)
claim_audience
claim_exp
claim_issued_at
claim_issuer
claim_jwt_id
claim_not_before
HeaderParam*
key_id

Notes for HMAC Algorithms (HS256, HS384, HS512)

When signing_algorithm is set to a HMAC algorithm key must be set to a key of appropriate length for the algorithm. The key should be the same number of bits as the algorithm being used. For instance a 256 bit key would be used for HS256.

The key must be known by both parties in order for signing and verification to take place. To use an existing HMAC key provide the bytes to the key property. For instance:

//HMAC SHA-256 Key
byte[] key = new byte[] { 170, 171, 221, 209, 7, 181, 48, 178, 48, 118, 242, 132, 36, 218, 74, 140, 216, 165, 161, 70, 11, 42, 246, 205, 235, 231, 19, 48, 87, 141, 122, 10 };

//Sign the payload using HS256
Jwt jwt = new Jwt();
jwt.SigningAlgorithm = JwtSigningAlgorithms.saHS256;
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.KeyB = key;
jwt.Sign();

string signedData = jwt.EncodedJWT;

Notes for RSA Algorithms (RS256, RS384, RS512, PS256, PS384, PS512)

The RSA based algorithms use asymmetric encryption. Signing is done with a private key and verification is done with a public key. The private key may be in PFX or PEM format.

Jwt jwt = new Jwt();
jwt.SigningAlgorithm = JwtSigningAlgorithms.saRS256;
jwt.Certificate = new Certificate(CertStoreTypes.cstPFXFile, "..\\jwt.pfx", "test", "*");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.Sign();

string signedMessage = jwt.EncodedJWT;

Notes for ECDSA Algorithms (ES256, ES384, ES512)

ECDSA algorithms require a valid ECC private key to sign. The ECC class can be used to create or import an ECC key into the Certificate format accepted by the JWS class.

//Create an ECC key with SHA-256
nsoftware.IPWorksEncrypt.Ecc ecc = new nsoftware.IPWorksEncrypt.Ecc();
ecc.HashAlgorithm = nsoftware.IPWorksEncrypt.EccHashAlgorithms.ehaSHA256;
ecc.CreateKey();

string privKey = ecc.Key.PrivateKey;

//Sign the payload using ES256
Jwt jwt = new Jwt();
jwt.SigningAlgorithm = JwtSigningAlgorithms.saES256;
jwt.Certificate = new Certificate(CertStoreTypes.cstPEMKeyBlob, privKey, "", "*");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.Sign();

string signedMessage = jwt.EncodedJWT;

To use an existing ECC Key populate the Rx, Ry, and K values of Key property in the ECC class first. For instance:

//Import an existing ECC private key
nsoftware.IPWorksEncrypt.Ecc ecc = new nsoftware.IPWorksEncrypt.Ecc();

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };
byte[] k_bytes = new byte[] { 81, 65, 201, 24, 235, 249, 162, 148, 169, 150, 109, 181, 61, 238, 145, 122, 31, 30, 151, 94, 239, 90, 222, 217, 63, 103, 54, 2, 176, 232, 248, 168 };

ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;
ecc.Key.KB = k_bytes;

string privKey = ecc.Key.PrivateKey;

//Sign the payload using ES256
Jwt jwt = new Jwt();
jwt.SigningAlgorithm = JwtSigningAlgorithms.saES256;
jwt.Certificate = new Certificate(CertStoreTypes.cstPEMKeyBlob, privKey, "", "*");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.Sign();

string signedMessage = jwt.EncodedJWT;

Notes for Unsecured (none)

To create a JWS token without any security set signing_algorithm to jwtNone.

Jwt jwt = new Jwt();
jwt.SigningAlgorithm = JwtSigningAlgorithms.saNone;
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.Sign();

string unsecuredMessage = jwt.EncodedJWT;

Signature Verification

The verify method may be used to verify a received JWS message. Before calling the verify method set encoded_jwt to a valid compact serialized JWT. For instance:

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOlsiYXVkaWVuY2UiXSwiaXNzIjoiaXNzdWVyIn0.mlFETSma4WUcUSjNSUWA1n9QBcQHCkHN-y4zeBsCVqI

key or signer_cert should be set to the HMAC key or public certificate respectively. If the correct key or signer_cert is not known ahead of time the KeyId parameter of the on_signer_info event may be used to identify the correct key.

If this method returns without error verification was successful. If verification fails then this method fails with an error. After calling this method the claims will be parsed and the Claim* properties will be populated. The the Header* properties will contain the headers. Headers of the parsed message are also available through the on_header_param event.

The following properties are applicable when calling this method:

encoded_jwt (required)
key (conditional - required for HMAC)
signer_cert (conditional - required for ECDSA and RSA)
signing_algorithm (only if StrictValidation is True)
StrictValidation

After calling this method the following properties are populated:

Notes for HMAC Algorithms (HS256, HS384, HS512)

When verifying a message originally signed with a HMAC algorithm key must be set to the same key used during signing. The key must be known by both parties in order for signing and verification to take place.

byte[] key = new byte[] { 170, 171, 221, 209, 7, 181, 48, 178, 48, 118, 242, 132, 36, 218, 74, 140, 216, 165, 161, 70, 11, 42, 246, 205, 235, 231, 19, 48, 87, 141, 122, 10 };

Jwt jwt = new Jwt();
jwt.KeyB = key;
jwt.EncodedJWT = signedData;
jwt.Verify();

string issuer = jwt.ClaimIssuer;

Notes for RSA Algorithms (RS256, RS384, RS512, PS256, PS384, PS512)

The RSA based algorithms use asymmetric encryption. Signing is done with a private key and verification is done with a public key. The public key is typically in PEM format.

Jwt jwt = new Jwt();
jwt.SignerCert = new Certificate("..\\jwt.cer"); 
jwt.EncodedJWT = signedData;
jwt.Verify();

string issuer = jwt.ClaimIssuer;

Notes for ECDSA Algorithms (ES256, ES384, ES512)

ECDSA algorithms require a valid ECC public key to verify the message. If the key was originally created with the ECC class the PEM encoded PublicKey may be used directly with the certificate property. An example PEM encoded public certificate created by the ECC class:

-----BEGIN PUBLIC KEY----- MIIBMjCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAAAAAAAAAA AAD///////////////8wRAQg/////wAAAAEAAAAAAAAAAAAAAAD///////////////wEIFrG NdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt 6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8AAAAA //////////+85vqtpxeehPO5ysL8YyVRAgEBA0EEIC5rbLp11Mnz6cBXLLriaDIov3rm8RAY x/OR0bOKiff0cQy+sLVaxjseqFk/+Xvl4ORSv5Z6HdHv5GyEpA0UoA== -----END PUBLIC KEY-----

Jwt jwt = new Jwt();
jwt.SignerCert = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKey, "", "*");
jwt.EncodedJWT = signedData;
jwt.Verify();

string issuer = jwt.ClaimIssuer;

To use an ECC public key created by other means the ECC class may be used to import the key parameters. Populate the Rx and Ry of the ECC class first to obtain the PEM formatted public key. For instance:

//Import an existing ECC public key
nsoftware.IPWorksEncrypt.Ecc ecc = new nsoftware.IPWorksEncrypt.Ecc();

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };

ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;

string pubKey = ecc.Key.PublicKey;

Jwt jwt = new Jwt();
jwt.SignerCert = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKey, "", "*");
jwt.EncodedJWT = signedData;
jwt.Verify();

string issuer = jwt.ClaimIssuer;

Notes for Unsecured (none)

To parse a JWS token without any security call the sign method without setting key or certificate.

Jwt jwt = new Jwt();
jwt.EncodedJWT = signedData;
jwt.Verify();

string issuer = jwt.ClaimIssuer;

Encrypting

The encrypt method may be used to encrypt a payload with a variety of algorithms. To create an encrypted JWT JSON Web Encryption (JWE) is performed by first generating a random key used to encrypt the content. The content encryption key is used to encrypt the content using the algorithm specified by content_encryption_algorithm. The content encryption key is then encrypted itself using the algorithm specified by encryption_algorithm. The content encryption key is not directly exposed in the API as it is randomly generated.

After calling this method the compact serialized JWT is written to encoded_jwt. For instance:

eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.4tcAnZJ00u4GY2kLOanPOL4CtvcfraZ8SIi6bOZ27qYBI2rHITPc1Q.c_9rCTdPn-saLCti2ZEyWQ.eLwqqo5BGNa70RlsvT-vTh7Gk0hjpJYY_9Zc39Vim_qEtjyMcxZygBpkfx9brzQr9rUbuiAhoCMXKip2-lKT6w.NkuLDPmWxWL4BaTWHWicIQ

encryption_algorithm (required)
key (conditional - required for AES)
key_password (conditional - required for PBES)
recipient_cert (conditional - required for ECDH and RSA)
claim_audience
claim_exp
claim_issued_at
claim_issuer
claim_jwt_id
claim_not_before
CompressionAlgorithm
content_encryption_algorithm
HeaderParam*
key_id

Notes for AES Algorithms (A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW)

When encryption_algorithm is set to a AES algorithm key must be set to a key of appropriate length for the algorithm. For instance a 256 bit key would be used for A256KW.

To use an existing AES key provide the bytes to the key property. For instance:

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

//Encrypt the payload using A256KW
Jwt jwt = new Jwt();
jwt.KeyB = key;
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaA256KW;
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

Notes for RSA Algorithms (RSA1_5, RSA-OEAP, RSA-OAEP-256)

The RSA based algorithms use asymmetric encryption. Encrypting is done with a public key and decryption is done with a private key. The public certificate should be in PEM (base64) format. For instance:

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate("..\\recipient.cer");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaRSA_OAEP;
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

Notes for ECDH Algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW)

ECDH algorithms require a valid ECC public key to encrypt the message. If the key was originally created with the ECC class the PEM encoded PublicKey may be used directly with the certificate property. An example PEM encoded public certificate created by the ECC component:

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKeyFile, "", "*");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaECDH_ES_A256KW;
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

To use an ECC public key created by other means the ECC class may be used to import the key parameters. Populate the Rx and Ry properties of the ECC component first to obtain the PEM formatted public key. For instance:

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };

nsoftware.IPWorksEncrypt.Ecc ecc = new nsoftware.IPWorksEncrypt.Ecc();
ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;

string pubKey = ecc.Key.PublicKey;

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate(CertStoreTypes.cstPublicKeyFile, pubKey, "", "*");
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaECDH_ES_A256KW;
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

Notes for PBES Algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW

PBES algorithms derive a content encryption key from the key_password property. Set key_password to a shared secret.

Jwt jwt = new Jwt();
jwt.KeyPassword = "secret";
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaPBES2_HS512_A256KW;
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

Notes for Direct Shared Keys

When encryption_algorithm is set to Direct the key property must be set to a valid symmetric key that will be used directly by the content_encryption_algorithm. In this case a content encryption key is not generated randomly, the key is used instead. The length of the specified key must be valid for the selected content_encryption_algorithm. For instance:

byte[] key = new byte[] { 164, 62, 191, 60, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

Jwt jwt = new Jwt();
jwt.EncryptionAlgorithm = JwtEncryptionAlgorithms.eaDir;
jwt.ContentEncryptionAlgorithm = JwtContentEncryptionAlgorithms.ceaA256GCM;
jwt.KeyB = key;
jwt.ClaimAudience = "audience";
jwt.ClaimIssuer = "issuer";
jwt.ClaimExp = "1498508071";
jwt.Encrypt();

string encryptedData = jwt.EncodedJWT;

Decrypting

The decrypt method may be used to decrypt a received JWE message. Before calling the decrypt method set encoded_jwt to a valid compact serialized JWT string. For instance:

The type and format of the private key depends on the algorithm used to encrypt the data. The following table summarizes the relationship:


Algorithm	Private Key Location
AES	key
RSA and ECDH	certificate
PBES	key_password

If the correct key or certificate is not known ahead of time the KeyId parameter of the on_recipient_info event may be used to identify the correct key.

If this method returns without error decryption was successful. If decryption fails then this method fails with an error. After calling this method the payload will be present in the Claim* properties and the Header* properties will contain the headers. Headers of the parsed message are also available through the on_header_param event.

The following properties are applicable when calling this method:

certificate (conditional - required for RSA and ECDH)
encoded_jwt
key (conditional - required for AES)
content_encryption_algorithm (only if StrictValidation is True)
encryption_algorithm (only if StrictValidation is True)
Header*
StrictValidation

After calling this method the following properties are populated:

Notes for AES Algorithms (A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW)

To decrypt messages that use AES encryption key must be set to a key of appropriate length for the algorithm. For instance a 256 bit key would be used for A256KW.

The key must be known by both parties in order for encryption and decryption to take place.

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

Jwt jwt = new Jwt();
jwt.KeyB = key;
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

Notes for RSA Algorithms (RSA1_5, RSA-OEAP, RSA-OAEP-256)

The RSA based algorithms use asymmetric encryption. Encrypting is done with a public key and decryption is done with a private key. The certificate with private key must be specified. For instance:

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate(CertStoreTypes.cstPFXFile, "..\\jwt.pfx", "password", "*");
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

Notes for ECDH Algorithms (ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW)

ECDH algorithms require a valid ECC private key to decrypt the message. If the key was originally created with the ECC class the PEM encoded PrivateKey may be used directly with the certificate property.

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate(CertStoreTypes.cstPEMKeyFile, privKeyFile, "", "*");
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

To use an ECC private key created by other means the ECC class may be used to import the key parameters. Populate the Rx, Ry, and KB properties of the ECC component first to obtain the PEM formatted public key. For instance:

nsoftware.IPWorksEncrypt.Ecc ecc = new nsoftware.IPWorksEncrypt.Ecc();

byte[] x_bytes = new byte[] { 171, 170, 196, 151, 94, 196, 231, 12, 128, 232, 17, 61, 45, 105, 41, 209, 192, 187, 112, 242, 110, 178, 95, 240, 36, 55, 83, 171, 190, 176, 78, 13 };
byte[] y_bytes = new byte[] { 197, 75, 134, 245, 245, 28, 199, 9, 7, 117, 1, 54, 49, 178, 135, 252, 62, 89, 35, 180, 117, 80, 231, 23, 110, 250, 28, 124, 219, 253, 224, 156 };
byte[] k_bytes = new byte[] { 81, 65, 201, 24, 235, 249, 162, 148, 169, 150, 109, 181, 61, 238, 145, 122, 31, 30, 151, 94, 239, 90, 222, 217, 63, 103, 54, 2, 176, 232, 248, 168 };

ecc.Key.RxB = x_bytes;
ecc.Key.RyB = y_bytes;
ecc.Key.KB = k_bytes;

string privKey = ecc.Key.PrivateKey;

Jwt jwt = new Jwt();
jwt.Certificate = new Certificate(CertStoreTypes.cstPEMKeyBlob, privKey, "", "*");
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

Notes for PBES Algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW

PBES algorithms derive a content encryption key from the key_password property. Set key_password to the shared secret.

Jwt jwt = new Jwt();
jwt.KeyPassword = "secret";
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

Notes for Direct Shared Keys

When Direct encryption is used the key property must be set to a valid symmetric key that will be used directly by the content_encryption_algorithm. For instance:

byte[] key = new byte[] { 164, 60, 194, 0, 161, 189, 41, 38, 130, 89, 141, 164, 45, 170, 159, 209, 69, 137, 243, 216, 191, 131, 47, 250, 32, 107, 231, 117, 37, 158, 225, 234 };

Jwt jwt = new Jwt();
jwt.KeyB = key;
jwt.EncodedJWT = encryptedData;
jwt.Decrypt();

string issuer = jwt.ClaimIssuer;

Other Functionality

In addition to standard operations the class also supports a variety of other features including:

Adding custom header parameters with add_header_param
Enforcing algorithm restrictions when verifying by setting StrictValidation
Inspect the JWT without verifying or decrypting by calling parse

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.


cert_encoded	The certificate (PEM/base64 encoded).
cert_store	The name of the certificate store for the client certificate.
cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
cert_store_type	The type of certificate store for this certificate.
cert_subject	The subject of the certificate used for client authentication.
claim_audience	The audience claim.
claim_exp	The expiration time claim.
claim_issued_at	The claim indicating the time at which the JWT was issued.
claim_issuer	The issuer of the JWT.
claim_jwt_id	The unique identifier for the JWT.
claim_not_before	The claim identifying the time before which the JWT is invalid.
jwt_claim_count	The number of records in the JWTClaim arrays.
jwt_claim_data_type	The data type of the claim value.
jwt_claim_name	The claim name.
jwt_claim_value	The claim value.
claim_subject	The subject identifies the principal of the JWT.
content_encryption_algorithm	The algorithm used to encrypt the content.
encoded_jwt	The encoded JWT.
encryption_algorithm	The key encryption algorithm.
header_param_count	The number of records in the HeaderParam arrays.
header_param_data_type	The data type of the header parameter.
header_param_name	The header parameter name.
header_param_value	The header parameter value.
key	The key used for HMAC and AES.
key_id	The Id of the key used to sign or encrypt the message.
key_password	The key password used in the PBES algorithm.
recipient_cert_encoded	The certificate (PEM/base64 encoded).
recipient_cert_store	The name of the certificate store for the client certificate.
recipient_cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
recipient_cert_store_type	The type of certificate store for this certificate.
recipient_cert_subject	The subject of the certificate used for client authentication.
signer_cert_encoded	The certificate (PEM/base64 encoded).
signer_cert_store	The name of the certificate store for the client certificate.
signer_cert_store_password	If the certificate store is of a type that requires a password, this property is used to specify that password in order to open the certificate store.
signer_cert_store_type	The type of certificate store for this certificate.
signer_cert_subject	The subject of the certificate used for client authentication.
signing_algorithm	The algorithm used when signing.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.


add_claim	Adds an new claim.
add_header_param	Adds additional header parameters.
config	Sets or retrieves a configuration setting.
decrypt	Decrypts the encoded JWT.
encrypt	Encrypts the claims with the specified algorithms.
parse	Parses the encoded JWT.
reset	Resets the class properties.
sign	Signs the payload with the specified algorithm.
verify	Verifies the signature of the encoded JWT.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.


on_claim_info	Fires once for each claim.
on_error	Information about errors during data delivery.
on_header_param	Fires once for each JOSE header parameter.
on_recipient_info	Fired with information about the recipient key of the encrypted message.
on_signer_info	Fires with information about the signature.

Configuration Settings

The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.


AllowedSigningAlgorithms	Allowed signing algorithms when StrictValidation is set to True.
AudienceDelimiter	Defines the character to separate audience values.
CompressionAlgorithm	The compression algorithm to use.
IncludeCertificateFormat	The certificate values to include in the signed message (if any).
InputMessage	The raw input to process.
IsEncrypted	Indicates whether the EncodedJWT is encrypted.
IsSigned	Indicates whether the EncodedJWT is signed.
IssuerCerts	A collection of issuer certificates used with IncludeCertificateFormat.
KeyEncoding	The encoding of the Key value.
OutputMessage	The raw output of the operation.
PartyUInfo	Information about the producer of the message.
PartyVInfo	Information about the recipient of the message.
PBES2Count	The PBKDF2 iteration count.
PBES2SaltLength	The salt input value length.
RawHeader	Holds the raw JOSE header.
StrictValidation	Requires specific algorithms when processing.
BuildInfo	Information about the product's build.
CodePage	The system code page used for Unicode to Multibyte translations.
LicenseInfo	Information about the current license.
ProcessIdleEvents	Whether the class uses its internal event loop to process events when the main thread is idle.
SelectWaitMillis	The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.
UseInternalSecurityAPI	Tells the class whether or not to use the system security libraries or an internal implementation.

IPWorks Auth 2020 Python Edition