wojtek-fliposports
commented
7 years ago From my side +1 for idea. Can you provide PR for current develop branch ?
Open psavoie opened 7 years ago
wojtek-fliposports
commented
7 years ago From my side +1 for idea. Can you provide PR for current develop branch ?
wiliamsouza
commented
7 years ago Some days ago I'm looking for a lib to use for JWK, JWS, JWE and JWT it seems https://github.com/latchset/jwcrypto is the most complete option available. Did you evaluate this lib? My choose was based on it's encryption support which is missing in https://github.com/jpadilla/pyjwt.
psavoie
commented
7 years ago Good question, I think that library is substantially less popular/active then pyjwt.
Encryption support is not needed for this project, and so we should stick with the thing that has a narrower scope. If you need the encryption part for your project, you should install that library independently.
bpereto
commented
6 years ago What is the state of this? I would like to see pyca/cryptography beeing used. Also its classified as vulnerability: https://github.com/PyCQA/bandit/commit/1c716beb1f7e687df24f2f17dc9b4c34180b1ab8
An independent security review alerted us that the json web token library pyjwkest depends on pycryptodome, and strongly recommended the use pyca/cryptography for the low-level crypto instead. We'd like to change the jwt implementation to pyjwt. Pyjwt uses the cryptography library instead of cryptodome already. If people feel strongly that pyjwkest should still be used, we can make it configurable. It would be much simpler to just replace it though. Comments are appreciated.