Which Python JOSE library supports nested JWT (signed+encrypted)?

Question

I looked at python-jose and jose but neither seem to support encrypting a signed JWT. For example, "jose" library supports signing and encrypting separately, without nesting them.

Am I missing something, like perhaps it's fairly easy to nest JWTs outside the library? If so, please share tips on achieving this so the result is well formatted.

Answer 1

jwcrypto supports nested JWS and JWE.

To sign and then encrypt:

# Load your RSA pub and private keys
pubKey = jwk.JWK().from_pyca(serializedPublicKey)
privateKey = jwk.JWK().from_pyca(serializedPrivateKey)

# your JWT claims go here
claims = {
    # JWT claims in JSON format
          }
# sign the JWT
# specify algorithm needed for JWS
header = {
          u'alg' : 'RS256', 
          'customSigHeader':'customHeaderContent'
          }
# generate JWT
T = jwt.JWT(header, claims)
# sign the JWT with a private key
T.make_signed_token(privateKey)
# serialize it
signed_token = T.serialize(compact=True)

# JWE algorithm in the header
eprot = {
    'alg': "RSA-OAEP", 
    'enc': "A128CBC-HS256",
     'customEncHeader':'customHeaderContent'
     }   
E = jwe.JWE(signed_token, json_encode(eprot))
# encrypt with a public key
E.add_recipient(pubKey)#
# serialize it
encrypted_signed_token = E.serialize(compact=True)

To decrypt and verify signature:

#Decrypt and Verify signature
E = jwe.JWE()
# deserialize and decrypt
E.deserialize(encrypted_signed_token, key=privateKey)
raw_payload = E.payload
# verify signature
S = jws.JWS()
S.deserialize(raw_payload, key=pubKey)
final_payload = S.payload