Not reproductible encoding between versions?

[christophehenry]

A project I work on updated from 2.4.0 to 2.6.0 today and, suddenly, our tests stopped passing. It turns out that some of our tests are checking against the generated JWT and the signature part has changed between 2.4.0 and 2.6.0.

Expected Result

The generated JWT should be consistant between versions.

Actual Result

The signature part of the generated JWT changed between 2.4.0 and 2.6.0 without any other configuration change

Reproduction Steps

pip uninstall pyjwt
pip install -Iv pyjwt==2.4.0

import jwt

id_token = {
    "aud": "w8l&+@iyz^gc%zqg$6xm7cxsui)9m1t_lpr71=8=do_0l3sqih",
    "exp": 1679488464.144009,
    "iat": 1679487269.441549,
    "iss": "http://example.com/",
    "sub": "r^fj^cnr+v+63^kxejxu7$_l*b0jd2b3al+4^p$^dcafld#xd%",
    "nonce": "-6n0=jm*^#aa(6fdo6up-2&5-%q6^evdvh$o&z7l(+xm-edh#9",
}

jwt.encode(id_token, "36gsux75u48j$qgr%4^7^(7a6d3_%=v&k6$(h)2fgvpb49v-ya", algorithm="HS256")

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ3OGwmK0BpeXpeZ2MlenFnJDZ4bTdjeHN1aSk5bTF0X2xwcjcxPTg9ZG9fMGwzc3FpaCIsImV4cCI6MTY3OTQ4ODQ2NC4xNDQwMDksImlhdCI6MTY3OTQ4NzI2OS40NDE1NDksImlzcyI6Imh0dHA6Ly9leGFtcGxlLmNvbS8iLCJzdWIiOiJyXmZqXmNucit2KzYzXmt4ZWp4dTckX2wqYjBqZDJiM2FsKzRecCReZGNhZmxkI3hkJSIsIm5vbmNlIjoiLTZuMD1qbSpeI2FhKDZmZG82dXAtMiY1LSVxNl5ldmR2aCRvJno3bCgreG0tZWRoIzkifQ.9EMrLXrZzHQd-6qvl18o-82M3KBoWLdCIBhAFAtG_mI"

pip uninstall pyjwt
pip install -Iv pyjwt==2.6.0

jwt.encode(id_token, "36gsux75u48j$qgr%4^7^(7a6d3_%=v&k6$(h)2fgvpb49v-ya", algorithm="HS256")

"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3OGwmK0BpeXpeZ2MlenFnJDZ4bTdjeHN1aSk5bTF0X2xwcjcxPTg9ZG9fMGwzc3FpaCIsImV4cCI6MTY3OTQ4ODQ2NC4xNDQwMDksImlhdCI6MTY3OTQ4NzI2OS40NDE1NDksImlzcyI6Imh0dHA6Ly9leGFtcGxlLmNvbS8iLCJzdWIiOiJyXmZqXmNucit2KzYzXmt4ZWp4dTckX2wqYjBqZDJiM2FsKzRecCReZGNhZmxkI3hkJSIsIm5vbmNlIjoiLTZuMD1qbSpeI2FhKDZmZG82dXAtMiY1LSVxNl5ldmR2aCRvJno3bCgreG0tZWRoIzkifQ.KjgKoSuwhNrW05SF0twy4tIz-uoGLIATiQLaWAKxntU"

System Information

$ python -m jwt.help
{
  "cryptography": {
    "version": ""
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.2"
  },
  "platform": {
    "release": "6.1.18-200.fc37.x86_64",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.6.0"  # or 2.4.0
  }
}

[andrewsw]

We've seen this issue as well, somewhere between 2.4.0 and 2.6.0.

[jensjeflensje]

I think this issue was already inside 2.5.0. I did some digging, and there's already a comment with an explanation: #806 (comment)

From this, I think it's safe to just update the tests with new JWTs or change your tests to only test validity :)

[andrewsw]

Nice find @jensjeflensje! Thanks!

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days