Simplify Python JWT verification example.

Supporting two public key formats in this example is not necessary. It is better to only use JWK sets, which is probably the most common use case.

This change make the example more similar with the Java example.

PiperOrigin-RevId: 549281076

3 files changed, 10 insertions, 52 deletions

diff --git a/python/examples/jwt/README.md b/python/examples/jwt/README.md
index a3c0f96a1..058b70b0d 100644
--- a/python/examples/jwt/README.md
+++ b/python/examples/jwt/README.md
@@ -40,18 +40,10 @@ $ ./bazel-bin/jwt/jwt_sign \
     --audience "audience" --token_path token_file.txt
 ```
 
-Verify the token using the public keyset:
-
-```shell
-$ ./bazel-bin/jwt/jwt_verify \
-    --public_keyset_path public_jwk_set.json \
-    --audience "audience" --token_path token_file.txt
-```
-
-You can also convert the public keyset into
+You can convert the public keyset into
 [JWK Set](https://datatracker.ietf.org/doc/html/rfc7517#section-5) format. This
 is useful if you want to share the public keyset with someone who is not using
-Tink. Note that this functionality was added after the release v1.6.1.
+Tink. Note that this functionality was added after the release v1.7.0.
 
 ```shell
 $ touch public_jwk_set.json
@@ -61,7 +53,7 @@ $ ./bazel-bin/jwt/jwt_generate_public_jwk_set \
     --public_jwk_set_path public_jwk_set.json
 ```
 
-You can also verify a token using a public keyset given in JWK Set format:
+You can verify a token using a public keyset given in JWK Set format:
 
 ```shell
 $ ./bazel-bin/jwt/jwt_verify \
diff --git a/python/examples/jwt/jwt_signature_test.sh b/python/examples/jwt/jwt_signature_test.sh
index 58f151958..7c84da5e7 100755
--- a/python/examples/jwt/jwt_signature_test.sh
+++ b/python/examples/jwt/jwt_signature_test.sh
@@ -67,23 +67,6 @@ fi
 
 #############################################################################
 
-print_test "verification_with_public_keyset"
-
-# Verify the token
-test_command ${VERIFY_CLI} \
-  --public_keyset_path "${PUBLIC_KEYSET_PATH}" \
-  --audience "${AUDIENCE}" \
-  --token_path "${TOKEN_PATH}"
-
-if (( TEST_STATUS == 0 )); then
-  echo "+++ Success: Verification passed for a valid token."
-else
-  echo "--- Failure: Verification failed for a valid token."
-  exit 1
-fi
-
-#############################################################################
-
 print_test "generate_public_jwk_set"
 
 # Generate the public keyset in JWK format
diff --git a/python/examples/jwt/jwt_verify.py b/python/examples/jwt/jwt_verify.py
index 102205693..301d00470 100644
--- a/python/examples/jwt/jwt_verify.py
+++ b/python/examples/jwt/jwt_verify.py
@@ -26,8 +26,6 @@ from tink import jwt
 
 FLAGS = flags.FLAGS
 
-_PUBLIC_KEYSET_PATH = flags.DEFINE_string(
-    'public_keyset_path', None, 'Path to public keyset in Tink JSON format.')
 _PUBLIC_JWK_SET_PATH = flags.DEFINE_string(
     'public_jwk_set_path', None, 'Path to public keyset in JWK set format.')
 _AUDIENCE = flags.DEFINE_string('audience', None,
@@ -42,28 +40,13 @@ def main(argv):
   # Initialise Tink
   jwt.register_jwt_signature()
 
-  # Read the keyset into a KeysetHandle
-  if _PUBLIC_KEYSET_PATH.present:
-    with open(_PUBLIC_KEYSET_PATH.value, 'rt') as public_keyset_file:
-      try:
-        text = public_keyset_file.read()
-        keyset_handle = tink.read_no_secret_keyset_handle(
-            tink.JsonKeysetReader(text))
-      except tink.TinkError as e:
-        logging.exception('Error reading public keyset: %s', e)
-        return 1
-  elif _PUBLIC_JWK_SET_PATH.present:
-    with open(_PUBLIC_JWK_SET_PATH.value, 'rt') as public_jwk_set_file:
-      try:
-        text = public_jwk_set_file.read()
-        keyset_handle = jwt.jwk_set_to_public_keyset_handle(text)
-      except tink.TinkError as e:
-        logging.exception('Error reading public JWK set: %s', e)
-        return 1
-  else:
-    logging.exception(
-        'Either --public_keyset_path or --public_jwk_set_path must be set')
-    return 1
+  with open(_PUBLIC_JWK_SET_PATH.value, 'rt') as public_jwk_set_file:
+    try:
+      text = public_jwk_set_file.read()
+      keyset_handle = jwt.jwk_set_to_public_keyset_handle(text)
+    except tink.TinkError as e:
+      logging.exception('Error reading public JWK set: %s', e)
+      return 1
 
   now = datetime.datetime.now(tz=datetime.timezone.utc)
   try: