-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use PyJWT instead of python-jose #49
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@yahel2410 what's next? Can we merge? |
Hi @Natim, Thanks for this contribution! The move away from python-jose is a much needed change. From my testing, I had a few questions/asks:
|
Hello Robert, no need for the cryptography package anymore with PyJWT. As for the verify method, PyJWT provides the same method/API. The code is tested and we have been using it in production for more than a month. In the Python dependencies philosophy, libraries should not enforce dependencies versioning so that project can handle it without library version conflicts. This is because you can't use two different version of a lib in the same project with Python. We could use the >= but since it works with all versions of PyJWT it isn't necessary. |
Done, thanks |
Thanks @Natim. Great to hear you've been using this in production.
|
Ok then, let's add it 🙏 |
It's part of the PyJWK Algorithm API: https://github.com/jpadilla/pyjwt/blob/527fec277e8215a197f8facd3778b359043704ef/jwt/algorithms.py#L180-L185 |
Can you please proceed and merge this? |
@robert-mings are we any closer to being able to merge this one? |
@Natim, @keaton185, @yahel2410 - We're close but I have yet to get this working as it's currently written. Facing Can I confirm if others are using this successfully as is? |
Can you write a test for it I can look at?
It supposed to be an Algorithm object not a JWK object that you use to
verify.
|
@robert-mings can you try again, you were right. I believe we are missing a test for this part of the lib, I was expecting it to exist which I was wrong. The good news is that our production code doesn't seem to use this part of the code. |
Thanks @Natim for adding this. Just an update from my side - this solved the Looks like we needed two additional arguments - padding and algorithm. Easy enough, passing those solves that error: That then runs into another error: I'm almost thinking we can simplify and use the
Thoughts? |
@robert-mings can you try again like that? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome @Natim - this looks good. Only required change is to import jwt
since we are using the decode api directly (as well as the 2 required references).
I added a couple lines of cleanup as well. Let me know if you're able to make these changes, otherwise I can get this merged and follow-up directly after.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. Thanks again for the contribution @Natim.
Merging now and will get a new version released.
Alternate to #48
Context
This package indirectly uses python-jose, which is affected by: GHSA-cjwg-qfpm-7377 which additionally seems to be abandoned by it's maintainers.
Move this package to use PyJWT to generate the JWK instead.