diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index f122fe762..1c1c4514e 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -10,6 +10,8 @@ This project adheres to `Semantic Versioning `__.
Changed
~~~~~~~
+- Remove arbitrary kwalgs. `#657 `__
+
Fixed
~~~~~
diff --git a/jwt/api_jws.py b/jwt/api_jws.py
index 3a1629476..8061c9787 100644
--- a/jwt/api_jws.py
+++ b/jwt/api_jws.py
@@ -137,7 +137,6 @@ def decode_complete(
key: str = "",
algorithms: List[str] = None,
options: Dict = None,
- **kwargs,
) -> Dict[str, Any]:
if options is None:
options = {}
@@ -166,9 +165,8 @@ def decode(
key: str = "",
algorithms: List[str] = None,
options: Dict = None,
- **kwargs,
) -> str:
- decoded = self.decode_complete(jwt, key, algorithms, options, **kwargs)
+ decoded = self.decode_complete(jwt, key, algorithms, options)
return decoded["payload"]
def get_unverified_header(self, jwt):
diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
index 48a931625..c5fbbc564 100644
--- a/jwt/api_jwt.py
+++ b/jwt/api_jwt.py
@@ -68,7 +68,9 @@ def decode_complete(
key: str = "",
algorithms: List[str] = None,
options: Dict = None,
- **kwargs,
+ audience: Optional[Union[str, List[str]]] = None,
+ issuer: Optional[str] = None,
+ leeway: Union[float, timedelta] = 0,
) -> Dict[str, Any]:
if options is None:
options = {"verify_signature": True}
@@ -92,7 +94,6 @@ def decode_complete(
key=key,
algorithms=algorithms,
options=options,
- **kwargs,
)
try:
@@ -103,7 +104,7 @@ def decode_complete(
raise DecodeError("Invalid payload string: must be a json object")
merged_options = {**self.options, **options}
- self._validate_claims(payload, merged_options, **kwargs)
+ self._validate_claims(payload, merged_options, audience, issuer, leeway)
decoded["payload"] = payload
return decoded
@@ -114,18 +115,20 @@ def decode(
key: str = "",
algorithms: List[str] = None,
options: Dict = None,
- **kwargs,
+ audience: Optional[Union[str, List[str]]] = None,
+ issuer: Optional[str] = None,
+ leeway: Union[float, timedelta] = 0,
) -> Dict[str, Any]:
- decoded = self.decode_complete(jwt, key, algorithms, options, **kwargs)
+ decoded = self.decode_complete(
+ jwt, key, algorithms, options, audience, issuer, leeway
+ )
return decoded["payload"]
- def _validate_claims(
- self, payload, options, audience=None, issuer=None, leeway=0, **kwargs
- ):
+ def _validate_claims(self, payload, options, audience, issuer, leeway):
if isinstance(leeway, timedelta):
leeway = leeway.total_seconds()
- if not isinstance(audience, (bytes, str, type(None), Iterable)):
+ if not isinstance(audience, (str, type(None), Iterable)):
raise TypeError("audience must be a string, iterable, or None")
self._validate_required_claims(payload, options)
diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
index a6230b3c6..3f274a378 100644
--- a/tests/test_api_jwt.py
+++ b/tests/test_api_jwt.py
@@ -106,6 +106,17 @@ def test_decode_with_non_mapping_payload_throws_exception(self, jwt):
exception = context.value
assert str(exception) == "Invalid payload string: must be a json object"
+ def test_decode_with_unknown_parameter_throws_exception(self, jwt):
+ secret = "secret"
+ example_jwt = (
+ b"eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9"
+ b".eyJoZWxsbyI6ICJ3b3JsZCJ9"
+ b".tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8"
+ )
+
+ with pytest.raises(TypeError):
+ jwt.decode(example_jwt, key=secret, foo="bar", algorithms=["HS256"])
+
def test_decode_with_invalid_audience_param_throws_exception(self, jwt):
secret = "secret"
example_jwt = (