Cryptography Library - Python Script (JWT Signed token for OAuth 2.0)

I have an endpoint that logs in using OAuth 2.0 with JWT Token, with the standard Infor OS Cloud feature, I receive errors and the Token doesn't pass.
Because of this I made a Python script to sign the JWT and with this token contact the methods. This jwt signed, I sent it to the endpoint token and with the token that it returns to me, I should contact the methods...

The strange thing is that I am having errors when using the Cryptography library.

Errors like : scripting.Traceback (most recent call last): File "script", line 1, in <module> File "/var/task/jwt/__init__.py", line 1, in <module> from .api_jwk import PyJWK, PyJWKSet File "/var/task/jwt/api_jwk.py", line 7, in <module> from .algorithms import get_default_algorithms, has_crypto, requires_cryptography File "/var/task/jwt/algorithms.py", line 11, in <module> from .utils import ( File "/var/task/jwt/utils.py", line 7, in <module> from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve File "/var/task/cryptography/hazmat/primitives/asymmetric/ec.py", line 11, in <module> from cryptography.exceptions import UnsupportedAlgorithm, _Reasons File "/var/task/cryptography/exceptions.py", line 9, in <module> from cryptography.hazmat.bindings._rust import exceptions as rust_exceptions ImportError: cannot import name 'exceptions' from 'cryptography.hazmat.bindings._rust' (unknown location)

These messages are usually due to compatibility, analyze in Pypi (https://pypi.org/project/cryptography/42.0.7/#files)
and I really can't find the build that would be correct for Infor OS Cloud, what would it be?

Has anyone used this library?, or performed this operation via Script?
In my environment Python works correctly.

The script is very simple (i remove personal data)-->

import jwt
import time
import cryptography

# Configuración
consumer_key = 'CONSUMER_KEY'
#cert_id = 'ID_DEL_CERTIFICADO'
private_key_pem = b"""-----BEGIN PRIVATE KEY-----
51651651
-----END PRIVATE KEY-----"""

# Construir el JWT Header
header = {
'alg': 'PS256',
'typ': 'JWT',
'kid': 'kid_client'
}

# Construir el JWT Payload
payload = {
'iss': consumer_key,
'scope': ['restlets', 'rest_webservices'],
'iat': int(time.time()), # Timestamp actual
'exp': int(time.time()) + 3600, # Expiración en 1 hora
'aud': 'https://server.tokenserver';
}

# Generar el JWT
encoded_jwt = jwt.encode(payload, private_key_pem, algorithm='PS256', headers=header)

# Mostrar el JWT
print(encoded_jwt)

Thanks!, best regards

Find more posts tagged with

General Discussions

Accepted answers

Nicolas Del rio

Here the script fixed!, with compatible libraries :

import time
import base64
import json
from Crypto.PublicKey import RSA
from Crypto.Signature import pss
from Crypto.Hash import SHA256

# Utility to sign JWTs based on a payload and dynamic header - Libraries tested in Infor Cloud MT
# Crear el encabezado del JWT
jwt_header = {
"YOUR HEADER"
}

# Convertir el encabezado a JSON y codificarlo en base64 URL safe
encoded_jwt_header = base64.urlsafe_b64encode(json.dumps(jwt_header, separators=(',', ':')).encode()).decode().rstrip('=')

# Crear el payload del JWT
current_time = int(time.time())
jwt_payload = {
"YOUR PAYLOAD"
}

# Convertir el payload a JSON y codificarlo en base64 URL safe
encoded_jwt_payload = base64.urlsafe_b64encode(json.dumps(jwt_payload, separators=(',', ':')).encode()).decode().rstrip('=')

# Construir el JWT sin firmar
unsigned_jwt = f"{encoded_jwt_header}.{encoded_jwt_payload}"

# Clave privada en formato PEM
CERTIFICATE_PRIVATE_KEY = '''-----BEGIN PRIVATE KEY-----
YOUR PRIVATE KEY
-----END PRIVATE KEY-----'''

# Cargar la clave privada usando PyCryptodome
private_key = RSA.import_key(CERTIFICATE_PRIVATE_KEY)

# Firmar el JWT con el algoritmo PS256 usando RSASSA-PSS
hash_obj = SHA256.new(unsigned_jwt.encode('utf-8'))
signature = pss.new(private_key).sign(hash_obj)

# Convertir la firma a formato base64 URL safe
encoded_signature = base64.urlsafe_b64encode(signature).decode().rstrip('=')

# Construir el JWT completo (header.payload.signature)
signed_jwt = f"{unsigned_jwt}.{encoded_signature}"

# Salida en formato JSON
output = {
"token": signed_jwt
}

# Imprimir la salida en formato JSON
print(json.dumps(output, indent=4))

All comments

Nicolas Del rio

Solved.