agburch
commented
4 months ago @justinabrokwah-okta - I'm curious to get your thoughts here, I think you might be the most familiar with the current implementation.
Closed agburch closed 4 months ago
agburch
commented
4 months ago @justinabrokwah-okta - I'm curious to get your thoughts here, I think you might be the most familiar with the current implementation.
justinabrokwah-okta
commented
4 months ago @justinabrokwah-okta - I'm curious to get your thoughts here, I think you might be the most familiar with the current implementation.
Thanks so much for this PR, sorry for the delay in response. I'll try to take a look at this today but skimming through, it looks like an overdue change to make. Also tagging @bryanapellanes-okta for visibility
bryanapellanes-okta
commented
4 months ago @agburch Thank you so much for your contribution! I'll review this week and consult with @justinabrokwah-okta . If no issues or concerns arise, I'll plan to merge and publish a new release by the end of next week.
This PR proposes to remove the
ecdsadependency completely by refactoring to usejwcryptoandpyjwt. This change is motivated by the recent CVE that demonstrated the potential vulnerabilities inecdsa. But regardless of any specific vuln, the maintainers of theecdsalibrary have commented to suggest that it is not intended for "production use": https://github.com/tlsfuzzer/python-ecdsa?tab=readme-ov-file#SecurityBy removing
python-josethis PR does remove functionality from thejwtmodule (e.g. specifying alternate hash algorithms or JWT_OPTIONS). But as of today, these features appear to be unused. However please let me know if I'm mistaken here. As far as this PR is concerned though, the output ofJWT.create_token()has not changed.I believe this PR extends the work done in PR #398 by fully removing the package in question. It should also address: Issues #395 Issues #388