Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency python-Jose appears to be unmaintained #54

Closed
jusdino opened this issue Dec 28, 2023 · 6 comments · Fixed by #59
Closed

Dependency python-Jose appears to be unmaintained #54

jusdino opened this issue Dec 28, 2023 · 6 comments · Fixed by #59

Comments

@jusdino
Copy link

jusdino commented Dec 28, 2023

Hey - just a heads-up that it appears this library is using python-jose as a dependency, which hasn't been updated in ~2 years. Maintainers haven't shown any activity in GitHub for issues or pull requests in quite a while, either. It would probably be prudent to pivot to PyJWT or JWCrypto, before CVEs start cropping up against the abandoned library.
@rxm7706 rxm7706 mentioned this issue Dec 31, 2023
Open
@lewisdoesstuff
Copy link
Contributor

before CVEs start dropping up against the abandoned library.

Looks like that's now, found in python-ecdsa.

Are there any plans to use the cryptography build of python-jose, or migrate?

@rsb177
Copy link

rsb177 commented Mar 1, 2024

@bretterer any updates on this? Does Okta have a migration plan? Or should we switch to a new library altogether?

@lewisdoesstuff
Copy link
Contributor

Yet more vulnerabilities discovered in python-jose.

We could really do with a PyJWT build of this

lewisdoesstuff added a commit to lewisdoesstuff/okta-jwt-verifier-python that referenced this issue Apr 30, 2024
@lewisdoesstuff
Replace python-jose with pyjwt
e774cb7 
As `python-jose` seems to be unmaintained and has multiple vulnerabilities raised against it, I've replaced this with `pyjwt`.

The implementation is like-for-like, as `pyjwt` seems to implement most of the methods used from `python-jose` identically.

Updated unit test mock paths to new `pyjwt` locations.

Updated `requirements.txt` to include `pyjwt`

Would resolve okta#54
@lewisdoesstuff lewisdoesstuff mentioned this issue Apr 30, 2024
Merged
@developingAlex
Copy link

developingAlex commented May 7, 2024
edited
Loading

It looks like the implementation mitigates this vulnerability (at least from what I looked into for the AccessTokenVerifier)
since calling verify_access_token it will assert that the supplied header algorithm is set to RS256 (NOT HS256 which is the dangerous one) and raises a JWTValidationException if it finds it set to anything other than that.

furthermore it then goes on to verify the signature and is explicit about using the RS256 algorithm (not leaving it up to the unsafe default of HS256)

@lukehsiao
Copy link

@developingAlex which vulnerability are you looking at exactly? There are a few. For example mpdavis/python-jose#344 is GHSA-cjwg-qfpm-7377, and as far as I understand, is not necessarily related to the algorithm chosen.

@developingAlex
Copy link

Sorry I was referring only to this python-jose issue description.

@dude0001 dude0001 mentioned this issue Aug 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace python-jose with pyjwt lewisdoesstuff/okta-jwt-verifier-python
5 participants
@lukehsiao @lewisdoesstuff @jusdino @developingAlex @rsb177