Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use OIC instead of Python-Jose #48

Closed
wants to merge 3 commits into from
Closed

Use OIC instead of Python-Jose #48

wants to merge 3 commits into from

Conversation

keaton185
Copy link

Context

This package indirectly uses python-jose, which is affected by: GHSA-cjwg-qfpm-7377 which additionally seems to be abandoned by it's maintainers.

Move this package to use OIC to generate the JWK instead.

Natim
Natim reviewed May 28, 2024
View reviewed changes
setup.py Outdated Show resolved Hide resolved
Natim
Natim reviewed May 28, 2024
View reviewed changes
requirements.txt Outdated Show resolved Hide resolved
This was referenced May 28, 2024
Merged
Closed
keaton185 and others added 2 commits May 28, 2024 22:00
@keaton185 @Natim
Update setup.py
55f6b74 
Co-authored-by: Rémy HUBSCHER <[email protected]>
@keaton185 @Natim
Update requirements.txt
bdb6177 
Co-authored-by: Rémy HUBSCHER <[email protected]>
@keaton185
Copy link
Author

@robert-mings for visibility 👀

@dreid
Copy link

dreid commented Jun 7, 2024

Introducing a dependency on OIC would cause a pretty significant explosion in transitive dependencies of this package.

https://github.com/CZ-NIC/pyoidc/blob/master/setup.py#L86-L95

And it seems like overkill to bring in a "complete OpenID Connect implementation" just for the couple of JWK related functions actually used.

PyJWT as implemented in #49 in contrast only really depends on the standard library and the well maintained and very popular cryptography package.

@Natim
Copy link
Contributor

Natim commented Jun 10, 2024

Robert is off until June 24th, let's wait for his return to see if we can cut a release.

@robert-mings
Copy link
Collaborator

Thanks for the willingness to contribute @keaton185! We've moved ahead with the pyjwt implementation instead of OIC through this PR.

@keaton185 keaton185 deleted the use-oic branch August 4, 2024 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamchainz adamchainz adamchainz left review comments

@Natim Natim Natim left review comments

@sph-floatingpoint sph-floatingpoint sph-floatingpoint approved these changes

@jordan-chalupka jordan-chalupka jordan-chalupka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@keaton185 @dreid @Natim @robert-mings @adamchainz @jordan-chalupka @sph-floatingpoint