Open lewisdoesstuff opened 2 months ago
lukehsiao
commented
1 month ago @bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?
lewisdoesstuff
commented
1 month ago @bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?
Cheers, In the meantime, if you need to pass vulnerability scanning (at least in docker):
jwt_utils.py from my patch to somewhere in the repo (e.g. patches/okta-jwt-verifier/jwt_utils.py)requirements.txtpyjwt and the dependencies for this library, excluding python-joseokta-jwt-verifier with --no-deps/usr/bin/python3.xx/site-packages/okta-jwt-verifier-python/okta-jwt-verifier/jwt_utils.pyObviously not an ideal solution, and it'll vary depending on your base image, but I've had this running in production this week with no issues.
danielhstahl
commented
1 month ago Can a maintainer please take a look at this pr? This pr is an absolute requirement for enterprises looking to use Python to integrate with okta. My expectation would be that a project like this would be maintained and kept up to date.
lukehsiao
commented
1 month ago We went ahead and replaced okta-jwt-verifier with joserfc entirely.
As
python-joseseems to be unmaintained and has multiple vulnerabilities raised against it, I've replaced this withpyjwt.The implementation is like-for-like, as
pyjwtseems to implement most of the methods used frompython-joseidentically.Updated unit test mock paths to new
pyjwtlocations.Updated
requirements.txtto includepyjwtHaven't been able to run integration tests as I'm not entirely sure how I get an ID token via Postman, but that should run in CI.
Also didn't bump the version, but let me know and I'll update it.
Would resolve #54, #60