Dependency python-Jose appears to be unmaintained

[jusdino]

Hey - just a heads-up that it appears this library is using python-jose as a dependency, which hasn't been updated in ~2 years. Maintainers haven't shown any activity in GitHub for issues or pull requests in quite a while, either. It would probably be prudent to pivot to PyJWT or JWCrypto, before CVEs start cropping up against the abandoned library.

[lewisdoesstuff]

before CVEs start dropping up against the abandoned library.

Looks like that's now, found in python-ecdsa.

Are there any plans to use the cryptography build of python-jose, or migrate?

[rsb177]

@bretterer any updates on this? Does Okta have a migration plan? Or should we switch to a new library altogether?

[lewisdoesstuff]

Yet more vulnerabilities discovered in python-jose.

We could really do with a PyJWT build of this

[developingAlex]

It looks like the implementation mitigates this vulnerability (at least from what I looked into for the AccessTokenVerifier) since calling verify_access_token it will assert that the supplied header algorithm is set to RS256 (NOT HS256 which is the dangerous one) and raises a JWTValidationException if it finds it set to anything other than that.

furthermore it then goes on to verify the signature and is explicit about using the RS256 algorithm (not leaving it up to the unsafe default of HS256)

[lukehsiao]

@developingAlex which vulnerability are you looking at exactly? There are a few. For example https://github.com/mpdavis/python-jose/issues/344 is https://github.com/advisories/GHSA-cjwg-qfpm-7377, and as far as I understand, is not necessarily related to the algorithm chosen.

[developingAlex]

Sorry I was referring only to this python-jose issue description.