| # Python JWT signature example |
| |
| This example shows how to generate and verify Json Web Tokens (JWT) with Tink. |
| |
| It demonstrates the basic steps of using Tink, namely loading key material, |
| obtaining a primitive, and using the primitive to do crypto. |
| |
| The key material was generated with: |
| |
| ```shell |
| $ tinkey create-keyset --key-template JWT_ES256 --out-format JSON \ |
| --out jwt_test_private_keyset.json |
| |
| $ tinkey create-public-keyset --in jwt_test_private_keyset.json \ |
| --in-format JSON --out jwt_test_public_keyset.json --out-format JSON |
| ``` |
| |
| Note that these keysets use Tink's JSON keyset format, which is different and |
| not compatible with JSON Web Key set (JWK set) format. |
| |
| ## Build and run |
| |
| ### Bazel |
| |
| Build the examples: |
| |
| ```shell |
| $ git clone https://github.com/google/tink |
| $ cd tink/python/examples |
| $ bazel build ... |
| ``` |
| |
| Generate a JWT token using the private keyset: |
| |
| ```shell |
| $ touch token_file.txt |
| |
| $ ./bazel-bin/jwt/jwt_sign_cli \ |
| --private_keyset_path ./jwt/jwt_test_private_keyset.json \ |
| --audience "audience" --token_path token_file.txt |
| ``` |
| |
| You can convert the public keyset into |
| [JWK Set](https://datatracker.ietf.org/doc/html/rfc7517#section-5) format. This |
| is useful if you want to share the public keyset with someone who is not using |
| Tink. Note that this functionality was added after the release v1.7.0. |
| |
| ```shell |
| $ touch public_jwk_set.json |
| |
| $ ./bazel-bin/jwt/jwt_generate_public_jwk_set \ |
| --public_keyset_path ./jwt/jwt_test_private_keyset.json \ |
| --public_jwk_set_path public_jwk_set.json |
| ``` |
| |
| You can verify a token using a public keyset given in JWK Set format: |
| |
| ```shell |
| $ ./bazel-bin/jwt/jwt_verify_cli \ |
| --public_jwk_set_path public_jwk_set.json \ |
| --audience "audience" --token_path token_file.txt |
| ``` |
