xcube-dev · TonioF · Feb 10, 2026 · Jan 28, 2026 · Jan 28, 2026 · Jan 28, 2026
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,6 @@
 ## Changes in 1.13.1 (under development)
 
+### Enhancements
 * Expanded support for keyword arguments of `rioxarray.open_rasterio` when opening
   raster files via `xcube.core.store.DataStore.open_data()`.
   * `rioxarray.open_rasterio` is now called with `chunks="auto"` by default in
@@ -12,6 +13,9 @@
     patterns and avoids unnecessary transformations.
 * Require dask >=2024.8 (#1196)
 
+### Fixes
+* Avoid authentication error due to missing cryptography package (#1191)
+
 ## Changes in 1.13.0
 
 ### Enhancements

diff --git a/environment.yml b/environment.yml
@@ -10,6 +10,7 @@ dependencies:
   - cftime >=1.6.3
   - click >=8.2.0
   - cmocean >=2.0
+  - cryptography  # pyjwt optional dependency; see PR #1199
   - dask >=2024.8  # avoid numpy 2 incompatibility; see Issue #1196
   - dask-image >=0.6
   - deprecated >=1.2
@@ -29,7 +30,7 @@ dependencies:
   - numpy >=1.16
   - pandas >=1.3,<3
   - pillow >=6.0
-  - pyjwt >=1.7
+  - pyjwt >=2.5
   - pyproj >=3.0
   - pyyaml >=5.4
   - rasterio >=1.2

diff --git a/pyproject.toml b/pyproject.toml
@@ -24,6 +24,7 @@ dependencies = [
   "click>=8.0",
   "cmocean>=2.0",
   "chartlets>=0.1.3",
+  "cryptography",  # pyjwt optional dependency; see PR #1199
   "dask>=2021.6",
   "dask-image>=0.6",
   "deprecated>=1.2",
@@ -42,7 +43,7 @@ dependencies = [
   "numpy>=1.16",
   "pandas>=1.3,<3",
   "pillow>=6.0",
-  "pyjwt>=1.7",
+  "pyjwt>=2.5",
   "pyproj>=3.0",
   "pyyaml>=5.4",
   "rasterio>=1.2",

diff --git a/rtd-environment.yml b/rtd-environment.yml
@@ -12,6 +12,7 @@ dependencies:
   - chartlets >= 0.1.3
   - click >=8.0
   - cmocean >=2.0
+  - cryptography  # pyjwt optional dependency; see PR #1199
   - dask >=2021.6
   - dask-image >=0.6
   - deprecated >=1.2
@@ -30,7 +31,7 @@ dependencies:
   - openssl
   - pandas >=1.3,<2
   - pillow >=6.0
-  - pyjwt >=1.7
+  - pyjwt >=2.5
   - pyproj >=3.0
   - pyyaml >=5.4
   - rasterio >=1.2

diff --git a/xcube/webapi/auth/context.py b/xcube/webapi/auth/context.py
@@ -112,28 +112,31 @@ def get_id_token(
         # Get JSON Web Token (JWK) Keys
         jwks = self.jwks
 
-        # Find access_token_kid in JWKS to obtain rsa_key
-        rsa_key = None
+        # Find access_token_kid in JWKS to obtain algorithm_key
+        algorithm_key = None
         for key in jwks["keys"]:
             if key["kid"] == access_token_kid:
-                rsa_key = {
+                algorithm_key = {
                     "kty": key["kty"],
                     "kid": key["kid"],
                     "use": key["use"],
                     "n": key["n"],
                     "e": key["e"],
                 }
                 break
-        if rsa_key is None:
+        if algorithm_key is None:
             raise ApiError.BadRequest(
                 "Invalid header. Unable to find appropriate key in JWKS."
             )
 
+        alg = unverified_header["alg"]
+        algorithm = jwt.get_algorithm_by_name(alg)
+
         # Now we are ready to decode the access token
         try:
             id_token = jwt.decode(
                 access_token,
-                jwt.algorithms.RSAAlgorithm.from_jwk(rsa_key),
+                algorithm.from_jwk(algorithm_key),
                 issuer=auth_config.authority,
                 audience=auth_config.audience,
                 algorithms=auth_config.algorithms,