Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Social Login: jwt.exceptions.ImmatureSignatureError: The token is not yet valid (iat) #445

Closed
Papajohn77 opened this issue Sep 16, 2023 · 12 comments
Closed

Google Social Login: jwt.exceptions.ImmatureSignatureError: The token is not yet valid (iat) #445

Papajohn77 opened this issue Sep 16, 2023 · 12 comments
Assignees
@IamMayankThakur

Comments

@Papajohn77
Copy link

Steps to reproduce:

  • Create a new SuperTokens app using: npx create-supertokens-app@latest

  • Choose any combination of frontend framework and Python backend framework

  • Choose any of the authentication types that involves Social Login

  • Once both the frontend and backend are up and running try to Continue with Google
@Papajohn77 Papajohn77 mentioned this issue Sep 16, 2023
Closed
2 tasks
@KShivendu
Copy link
Contributor

Thanks for creating this issue @Papajohn77. I'll take a look.

@KShivendu
Copy link
Contributor

KShivendu commented Sep 18, 2023
edited

@Papajohn77 I tried replicating your issue but I didn't face any error. What's your python and supertokens-python SDK version? Can you share the full error trace?

@KShivendu
Copy link
Contributor

KShivendu commented Sep 18, 2023
edited

@Papajohn77 this is what is causing issues. You probably just need to upgrade/downgrade. Let me know if doesn't work (and share the output of pip show pyjwt)

@Papajohn77
Copy link
Author

@Papajohn77 I tried replicating your issue but I didn't face any error. What's your python and supertokens-python SDK version? Can you share the full error trace?

Python 3.10.8
supertokens-python 0.16.0

Now the exception raised is different, however, the root cause is the same because if I add some leeway in the decoding of the JWT it works fine...

Traceback (most recent call last):
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\uvicorn\protocols\http\h11_impl.py", line 373, in run_asgi
    result = await app(self.scope, self.receive, self.send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\uvicorn\middleware\proxy_headers.py", line 75, in __call__
    return await self.app(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\cors.py", line 86, in __call__
    await self.simple_response(scope, receive, send, request_headers=headers)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\cors.py", line 142, in simple_response
    await self.app(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\fastapi\applications.py", line 199, in __call__
    await super().__call__(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\applications.py", line 111, in __call__
    await self.middleware_stack(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\errors.py", line 181, in __call__
    raise exc from None
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\errors.py", line 159, in __call__
    await self.app(scope, receive, _send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\base.py", line 25, in __call__
    response = await self.dispatch_func(request, self.call_next)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\framework\fastapi\fastapi_middleware.py", line 51, in dispatch
    result: Union[BaseResponse, None] = await st.middleware(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\supertokens.py", line 553, in middleware
    api_resp = await matched_recipe.handle_api_request(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\recipe.py", line 223, in handle_api_request
    return await self.third_party_recipe.handle_api_request(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\recipe.py", line 142, in handle_api_request
    return await handle_sign_in_up_api(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\api\signinup.py", line 74, in handle_sign_in_up_api
    result = await api_implementation.sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\api\thirdparty_api_implementation.py", line 62, in sign_in_up_post
    result = await api_implementation.thirdparty_sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\api\implementation.py", line 148, in thirdparty_sign_in_up_post
    result = await self.tp_sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\api\implementation.py", line 83, in sign_in_up_post
    user_info = await provider.get_user_info(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 383, in get_user_info
    await verify_id_token_from_jwks_endpoint_and_get_payload(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 168, in verify_id_token_from_jwks_endpoint_and_get_payload
    raise err
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 165, in verify_id_token_from_jwks_endpoint_and_get_payload
    return decode(jwt=id_token, key=key, audience=[audience], algorithms=["RS256"])  # type: ignore
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jwt.py", line 210, in decode
    decoded = self.decode_complete(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jwt.py", line 151, in decode_complete
    decoded = api_jws.decode_complete(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jws.py", line 209, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jws.py", line 310, in _verify_signature
    raise InvalidSignatureError("Signature verification failed")
jwt.exceptions.InvalidSignatureError: Signature verification failed

@Papajohn77
Copy link
Author

@Papajohn77 this is what is causing issues. You probably just need to upgrade/downgrade. Let me know if doesn't work (and share the output of pip show pyjwt)

As mentioned here this seems to break after version 2.5.0 which I cannot use due to version conflicts. I have tried versions 2.6.0 & 2.7.0 but the error persisted.
pip-show-pyjwt

@KShivendu KShivendu self-assigned this Sep 19, 2023
@KShivendu
Copy link
Contributor

KShivendu commented Sep 19, 2023
edited

Hi @Papajohn77, please share a jwt that's failing for you. Also, are you sure you've tried with 2.7.0?
This PR was released with 2.7.0 . It gives a float value for now variable and should have fixed the issue.

>>> timegm(datetime.now(tz=timezone.utc).utctimetuple())
1695130379
>>> datetime.now(tz=timezone.utc).timestamp()
1695130382.739629

@Papajohn77
Copy link
Author

Hi @Papajohn77, please share a jwt that's failing for you. Also, are you sure you've tried with 2.7.0? This PR was released with 2.7.0 . It gives a float value for now variable and should have fixed the issue.

>>> timegm(datetime.now(tz=timezone.utc).utctimetuple())
1695130379
>>> datetime.now(tz=timezone.utc).timestamp()
1695130382.739629

Hello @KShivendu, I just tried once more making sure I have PyJWT 2.7.0 and still getting the same error.

Here is a JWT:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdjMGI2OTEzZmUxMzgyMGEzMzMzOTlhY2U0MjZlNzA1MzVhOWEwYmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIxMDYwNzI1MDc0MTk1LWttZXVtNGNycjAxdWlyZmwyb3A5a2Q1YWNtaTlqdXRuLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXVkIjoiMTA2MDcyNTA3NDE5NS1rbWV1bTRjcnIwMXVpcmZsMm9wOWtkNWFjbWk5anV0bi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInN1YiI6IjExMzMzMTE3NjE4MDkxNzY2NTQxNiIsImVtYWlsIjoiam9obnBhcGFkYXRvczc3Nzc3QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdF9oYXNoIjoiNlFSZWI5NGhsUzBTbXhLNGRiM19MUSIsImlhdCI6MTY5NTEzNTIxNSwiZXhwIjoxNjk1MTM4ODE1fQ.CsPZwlZlaDwSVl7vJScX4Pc0Emu5MODUYqARGnE-KoGLQ3QRl9ILuf8kkVvlZnDoGhfdhtShX7-FVBcP-4Xb85kkH_ndx_48B0YxR1fi16CWmKKiQN3iPdlB5d_iMb8xdwKVLxEdkTA46QR83kj6nTF-uc6A5qc4QQALlg6-8fx6YbWnVa-8if7_85amNI0V_WXiM09A8hOJRqu8ayziEl8jnpYtsdtyFIljxIh7VlQ6JxrtgcT_wWoEks82VUbxbWdgV-eRhhlbNltNEgz39i9xEyNQ6O-I1ldEumB27YwmcOdwrLA9ytQFw1rlJpN3C_RxD0NFZ9AHaG8E230Mqw

@KShivendu
Copy link
Contributor

KShivendu commented Sep 20, 2023
edited

@Papajohn77, this doesn't add up. It should have worked.

  • Does this error happen occasionally/randomly or does it happen every time?
  • Can you please check that your system's time is updated?

@Papajohn77
Copy link
Author

@Papajohn77, this doesn't add up. It should have worked.

  • Does this error happen occasionally/randomly or does it happen every time?
  • Can you please check that your system's time is updated?

It happens every time... I managed to make it work with Docker. Thanks for your time, you can close this.

@himanshkukreja
Copy link

Python 3.10.8 supertokens-python 0.16.0

Now the exception raised is different, however, the root cause is the same because if I add some leeway in the decoding of the JWT it works fine...

Traceback (most recent call last):
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\uvicorn\protocols\http\h11_impl.py", line 373, in run_asgi
    result = await app(self.scope, self.receive, self.send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\uvicorn\middleware\proxy_headers.py", line 75, in __call__
    return await self.app(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\cors.py", line 86, in __call__
    await self.simple_response(scope, receive, send, request_headers=headers)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\cors.py", line 142, in simple_response
    await self.app(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\fastapi\applications.py", line 199, in __call__
    await super().__call__(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\applications.py", line 111, in __call__
    await self.middleware_stack(scope, receive, send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\errors.py", line 181, in __call__
    raise exc from None
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\errors.py", line 159, in __call__
    await self.app(scope, receive, _send)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\starlette\middleware\base.py", line 25, in __call__
    response = await self.dispatch_func(request, self.call_next)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\framework\fastapi\fastapi_middleware.py", line 51, in dispatch
    result: Union[BaseResponse, None] = await st.middleware(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\supertokens.py", line 553, in middleware
    api_resp = await matched_recipe.handle_api_request(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\recipe.py", line 223, in handle_api_request
    return await self.third_party_recipe.handle_api_request(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\recipe.py", line 142, in handle_api_request
    return await handle_sign_in_up_api(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\api\signinup.py", line 74, in handle_sign_in_up_api
    result = await api_implementation.sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\api\thirdparty_api_implementation.py", line 62, in sign_in_up_post
    result = await api_implementation.thirdparty_sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdpartyemailpassword\api\implementation.py", line 148, in thirdparty_sign_in_up_post
    result = await self.tp_sign_in_up_post(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\api\implementation.py", line 83, in sign_in_up_post
    user_info = await provider.get_user_info(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 383, in get_user_info
    await verify_id_token_from_jwks_endpoint_and_get_payload(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 168, in verify_id_token_from_jwks_endpoint_and_get_payload
    raise err
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\supertokens_python\recipe\thirdparty\providers\custom.py", line 165, in verify_id_token_from_jwks_endpoint_and_get_payload
    return decode(jwt=id_token, key=key, audience=[audience], algorithms=["RS256"])  # type: ignore
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jwt.py", line 210, in decode
    decoded = self.decode_complete(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jwt.py", line 151, in decode_complete
    decoded = api_jws.decode_complete(
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jws.py", line 209, in decode_complete
    self._verify_signature(signing_input, header, signature, key, algorithms)
  File "C:\Users\Giannis\Desktop\showcase-error\my-app\backend\venv\lib\site-packages\jwt\api_jws.py", line 310, in _verify_signature
    raise InvalidSignatureError("Signature verification failed")
jwt.exceptions.InvalidSignatureError: Signature verification failed

Getting the same issue

I have downgraded the version of pyJWT from 2.6.0 to 2.5.0 and this issue is resolved
But the problem is 0.16.0 requires pyJWT version >= 2.6.0
But for now signup/signIn using google (using pyJWT 2.5.0) works correctly

@rishabhpoddar please look at this

@rishabhpoddar rishabhpoddar reopened this Oct 4, 2023
@KShivendu KShivendu removed their assignment Oct 11, 2023
@IamMayankThakur IamMayankThakur self-assigned this Oct 20, 2023
@IamMayankThakur IamMayankThakur mentioned this issue Oct 23, 2023
Merged
10 tasks
@rishabhpoddar
Copy link
Member

We have relaxed the constraint on pyJWT to be >= 2.5 instead of >= 2.6. So for those facing this issue, please downgrade pyJWT to 2.5

@anku255
Copy link
Contributor

anku255 commented Jan 5, 2024

This issue was introduced in PyJWT v2.6.0 and was immediately fixed in v2.7.0. No further action is required on this issue as our version constraint already allow upgrading to the latest version (v2.8.0).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IamMayankThakur IamMayankThakur

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rishabhpoddar @anku255 @IamMayankThakur @KShivendu @himanshkukreja @Papajohn77