jwt.encode produces not constant JWT header in Python 3

[henri-hulski]

After updating to 1.0.0 I found some inconsistency:
When running the following test:

def test_encode_jwt():
    import jwt
    from sys import version_info
    claims_set = {
        'sub': 'user'
    }
    key = 'secret'
    token = jwt.encode(claims_set, key)
    if version_info >= (3, 0, 0):
        token = token.decode(encoding='UTF-8')

    assert token == 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyIn0.' \
                    '8jVjALlPRYpE03sMD8kuqG9D4RSih5NjiISNZ-wO3oY'

In Python 2.7 this test passes always.
In Python 3.4 this test sometimes passes and sometimes not.
The reason is, that in Python 3 jwt.encode sometimes produce a header like:

{
  "alg": "HS256",
  "typ": "JWT"
}

This is the same like in Python 2.

But sometimes it produces a header like:

{
  "typ": "JWT",
  "alg": "HS256"
}

I didn't find out why this happens.

Regards,
Henri

[mark-adams]

Python doesn't guarantee the ordering of the keys in a dictionary; nor does the JWT spec specify an ordering of the header parameters.

This more than likely happened because the internals of dict changed between Python 2 and Python 3. It's nothing to be worried about.

[henri-hulski]

So with the same claimset I can get different tokens.

[mark-adams]

Absolutely, depending on how Python wants to order those keys.

If order really really mattered to you, you could use collections.OrderedDict for your claims, but to be honest, there is absolutely no technical reason why the order of the keys matter. The point of the JWT is to validate the authenticity of the claimset using the signature. The order of the keys in the claimset or header have absolutely nothing to do with that. As long as the signature validates, it is fine.

[henri-hulski]

I understand. So I will close this issue.

[fergyfresh]

We have a 3rd party integration that hardcoded the order of the keys :(. I'm glad I was validated here though by you guys confirming that the order doesn't matter and isn't specified in the RFC either.