ImportError: cannot import name 'JSONWebSignatureSerializer' from 'itsdangerous'

[khteh]

Python 3.10.4 pipenv, version 2022.5.2 flask-oidc 1.4.0 Exception happens on the following import line:

from flask_oidc import OpenIDConnect

[Mikaciu]

Hello, This class has been removed in itsdangerous 2.1.0 : https://itsdangerous.palletsprojects.com/en/2.1.x/changes/#version-2-1-0

It was mentioned in https://github.com/puiterwijk/flask-oidc/issues/3 ...

In your Pipfile, could you please add itsdangerous = "<2.1" ?

[khteh]

How long can you stay in this deprecated functionality? Instead of going backward, this library should be updated to use proper library as described here:

https://itsdangerous.palletsprojects.com/en/2.1.x/changes/ https://docs.authlib.org/en/latest/jose/jws.html

[Mikaciu]

I honestly don't know, I had the same issue several days ago and thought it would be helpful to share ;)

[ecederstrand]

Apparently fixed in https://github.com/puiterwijk/flask-oidc/pull/144

[gcalmettes]

confirming that installing #144 fixes it.

[khteh]

Fixed? Install? What do you mean and how? https://github.com/puiterwijk/flask-oidc/pull/144 is not even merged yet!?

[gcalmettes]

@khteh you can install the changes introduced by #144 by specifying directly the MR or the commit you want in your pip install command.

e.g.: pip install git+https://github.com/puiterwijk/flask-oidc.git@b10e6bf881a3fe0c3972e4093648f2b77f32a97c

On our end, we are using a custom security manager for Airflow to connect using OIDC, which relies on flask-oidc underneath (https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-openid). Because the dependency on itsdangerous is not pinned, the latest build broke the oidc workflow to connect to Airflow, but adding the latest commit of #144 as dependency in our docker build (command above) fixed it.

Note that pip install git+https://github.com/puiterwijk/flask-oidc.git@refs/pull/144/head as specified in #152 would also work if you don't want to freeze to a specific commit and benefit from the update made to the MR.

[khteh]

What stops you from merging and releasing the fix as a new version?

[gcalmettes]

@khteh well, one would need to have the proper rights on the repo for that, so this decision relies on @puiterwijk’s approval of the PR. In the meantime targeting the code of the PR for the install is a workaround.

[khteh]

Ok. Thanks. BTW, what's MR?

[gcalmettes]

Sorry, I mixed the Gitlab’s way of defining things. MR = Merge request (which is Gitlab’s denomination for Pull Request).

[khteh]

For those using pipenv: pipenv install git+https://github.com/puiterwijk/flask-oidc.git@refs/pull/144/head#egg=flask-oidc

[marcelrend]

@puiterwijk could this PR please be merged and released?

[frafful]

Are there any possible workaround this issue? It seems it will take a while to merge the fix to master.

[ecederstrand]

Yes. See https://github.com/puiterwijk/flask-oidc/issues/147#issuecomment-1207160732

[Nixellion]

So it's 2023, 4 months later, is this still the issue and is it not yet updated?

[nebucadnezzar]

if it fixed, why dont you get updated?

[macmule]

Came here hoping for a fix too.

[frozenpandaman]

Still waiting on a fix…