Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace python-jose with pyjwt #59

Merged
merged 2 commits into from
Aug 1, 2024
Merged

Replace python-jose with pyjwt #59

merged 2 commits into from
Aug 1, 2024

Conversation

lewisdoesstuff
Copy link
Contributor

@lewisdoesstuff lewisdoesstuff commented Apr 30, 2024
edited
Loading

As python-jose seems to be unmaintained and has multiple vulnerabilities raised against it, I've replaced this with pyjwt.

The implementation is like-for-like, as pyjwt seems to implement most of the methods used from python-jose identically.

Updated unit test mock paths to new pyjwt locations.

Updated requirements.txt to include pyjwt

Haven't been able to run integration tests as I'm not entirely sure how I get an ID token via Postman, but that should run in CI.

Also didn't bump the version, but let me know and I'll update it.

Would resolve #54, #60

@lewisdoesstuff
Replace python-jose with pyjwt
e774cb7 
As `python-jose` seems to be unmaintained and has multiple vulnerabilities raised against it, I've replaced this with `pyjwt`.

The implementation is like-for-like, as `pyjwt` seems to implement most of the methods used from `python-jose` identically.

Updated unit test mock paths to new `pyjwt` locations.

Updated `requirements.txt` to include `pyjwt`

Would resolve okta#54
@lewisdoesstuff
Fix "Expected PEM key" error in verify_signature
712ced6 
Create a `PyJWK` object from the `okta_jwk` parameter when verifying the token signature
@lukehsiao
Copy link

@bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?

@lewisdoesstuff
Copy link
Contributor Author

@bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?

Cheers,
In the meantime, if you need to pass vulnerability scanning (at least in docker):

  • Add the jwt_utils.py from my patch to somewhere in the repo (e.g. patches/okta-jwt-verifier/jwt_utils.py)
  • Remove the library from your requirements.txt
  • During docker build, install pyjwt and the dependencies for this library, excluding python-jose
  • Install okta-jwt-verifier with --no-deps
  • Install the rest of your dependencies
  • Patch the library by copying the file to the install location, usually somewhere like /usr/bin/python3.xx/site-packages/okta-jwt-verifier-python/okta-jwt-verifier/jwt_utils.py
  • Complete the rest of the build

Obviously not an ideal solution, and it'll vary depending on your base image, but I've had this running in production this week with no issues.

@danielhstahl
Copy link

Can a maintainer please take a look at this pr? This pr is an absolute requirement for enterprises looking to use Python to integrate with okta. My expectation would be that a project like this would be maintained and kept up to date.

@lukehsiao
Copy link

We went ahead and replaced okta-jwt-verifier with joserfc entirely.

@bretterer bretterer merged commit 20bf0ff into okta:master Aug 1, 2024
@bretterer
Copy link
Collaborator

Sorry for the delay on this PR. I have merged into the main branch and will be releasing a new version to PyPi soon

Thank you for the PR!

@dude0001 dude0001 mentioned this pull request Aug 2, 2024
Open
@grossandrewr
Copy link

hi @bretterer - do you have an ETA for releasing the new version that includes this change? my team is eager for the update to resolve failing vulnerability checks. thanks!

@dude0001
Copy link

hi @bretterer - do you have an ETA for releasing the new version that includes this change? my team is eager for the update to resolve failing vulnerability checks. thanks!

You can already download 0.2.6 that has the change to remove the python-jose.

My issue is the latest version changed the version range of several other dependencies. Such that if you are using the latest of those dependencies you'll have to revert back to older version of the dependencies, some of which have their own vulnerabilities. So upgrading to 0.2.6 is problematic as well.

I created #64 to hopefully address, but the maintainers have disappeared again. I had to have our organization reach out to Okta support to get some attention to the python-jose issue. Might have to do this again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bretterer bretterer bretterer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependency python-Jose appears to be unmaintained
6 participants
@lewisdoesstuff @lukehsiao @danielhstahl @bretterer @grossandrewr @dude0001