Open lewisdoesstuff opened 2 months ago
@bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?
@bretterer or @bryanapellanes-okta perhaps? For many companies using this library, we need this to be patched for compliance reasons, or we will need to move off of this library. Can we prioritize this security fix?
Cheers, In the meantime, if you need to pass vulnerability scanning (at least in docker):
jwt_utils.py
from my patch to somewhere in the repo (e.g. patches/okta-jwt-verifier/jwt_utils.py
)requirements.txt
pyjwt
and the dependencies for this library, excluding python-jose
okta-jwt-verifier
with --no-deps
/usr/bin/python3.xx/site-packages/okta-jwt-verifier-python/okta-jwt-verifier/jwt_utils.py
Obviously not an ideal solution, and it'll vary depending on your base image, but I've had this running in production this week with no issues.
Can a maintainer please take a look at this pr? This pr is an absolute requirement for enterprises looking to use Python to integrate with okta. My expectation would be that a project like this would be maintained and kept up to date.
We went ahead and replaced okta-jwt-verifier with joserfc entirely.
As
python-jose
seems to be unmaintained and has multiple vulnerabilities raised against it, I've replaced this withpyjwt
.The implementation is like-for-like, as
pyjwt
seems to implement most of the methods used frompython-jose
identically.Updated unit test mock paths to new
pyjwt
locations.Updated
requirements.txt
to includepyjwt
Haven't been able to run integration tests as I'm not entirely sure how I get an ID token via Postman, but that should run in CI.
Also didn't bump the version, but let me know and I'll update it.
Would resolve #54, #60