search

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/
BSD 3-Clause "New" or "Revised" License
4.7k stars 1.36k forks source link

Problem in Apache Superset: PyJWT 2.10 changed semantics, Flask-JWT-Extended 4.7.1 needs a configuration change #2287

Open amotl opened 16 hours ago

amotl commented 16 hours ago

Problem

When setting up a fresh sandbox environment, PyJWT 2.10 gets installed, released on Nov 17, i.e. five days ago. That breaks a little integration test suite against Apache Superset we are running.

The initial discovery was reported here:

The detailed report and investigation happened here:

Solution

@jlucier and @vimalloc suggested at https://github.com/apache/superset/issues/30995#issuecomment-2494706861:

Have you configured flask-jwt-extended to not verify the sub claim? 'JWT_VERIFY_SUB=False'.

That probably needs to take place after upgrading to Flask-JWT-Extended 4.7.1, which includes relevant code updates?

amotl commented 15 hours ago

We have been able to resolve this by updating to Flask-JWT-Extended 4.7.1 and configuring it using JWT_VERIFY_SUB = False.