-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use OIC instead of Python-Jose #48
Conversation
Co-authored-by: Rémy HUBSCHER <[email protected]>
Co-authored-by: Rémy HUBSCHER <[email protected]>
@robert-mings for visibility 👀 |
Introducing a dependency on OIC would cause a pretty significant explosion in transitive dependencies of this package. https://github.com/CZ-NIC/pyoidc/blob/master/setup.py#L86-L95 And it seems like overkill to bring in a "complete OpenID Connect implementation" just for the couple of JWK related functions actually used. PyJWT as implemented in #49 in contrast only really depends on the standard library and the well maintained and very popular cryptography package. |
Robert is off until June 24th, let's wait for his return to see if we can cut a release. |
Thanks for the willingness to contribute @keaton185! We've moved ahead with the |
Context
This package indirectly uses python-jose, which is affected by: GHSA-cjwg-qfpm-7377 which additionally seems to be abandoned by it's maintainers.
Move this package to use OIC to generate the JWK instead.