Skip to content

Use OIC instead of Python-Jose #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Use OIC instead of Python-Jose #48

wants to merge 3 commits into from

Conversation

@keaton185
Copy link

@keaton185 keaton185 commented May 21, 2024

Context

This package indirectly uses python-jose, which is affected by: GHSA-cjwg-qfpm-7377 which additionally seems to be abandoned by it's maintainers.

Move this package to use OIC to generate the JWK instead.

Natim
Natim reviewed May 28, 2024
View reviewed changes
Natim
Natim reviewed May 28, 2024
View reviewed changes
This was referenced May 28, 2024
Merged
Closed
keaton185 and others added 2 commits May 28, 2024 22:00
@keaton185 @Natim
Update setup.py
55f6b74 
Co-authored-by: Rémy HUBSCHER <[email protected]>
@keaton185 @Natim
Update requirements.txt
bdb6177 
Co-authored-by: Rémy HUBSCHER <[email protected]>
@keaton185
Copy link
Author

keaton185 commented May 29, 2024

@robert-mings for visibility 👀

@dreid
Copy link

dreid commented Jun 7, 2024

Introducing a dependency on OIC would cause a pretty significant explosion in transitive dependencies of this package.

https://github.com/CZ-NIC/pyoidc/blob/master/setup.py#L86-L95

And it seems like overkill to bring in a "complete OpenID Connect implementation" just for the couple of JWK related functions actually used.

PyJWT as implemented in #49 in contrast only really depends on the standard library and the well maintained and very popular cryptography package.

@Natim
Copy link
Contributor

Natim commented Jun 10, 2024

Robert is off until June 24th, let's wait for his return to see if we can cut a release.

@robert-mings
Copy link
Collaborator

robert-mings commented Aug 1, 2024

Thanks for the willingness to contribute @keaton185! We've moved ahead with the pyjwt implementation instead of OIC through this PR.

@keaton185 keaton185 deleted the use-oic branch August 4, 2024 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@Natim Natim Natim left review comments

@adamchainz adamchainz adamchainz left review comments

@jordan-chalupka jordan-chalupka jordan-chalupka approved these changes

@sph-floatingpoint sph-floatingpoint sph-floatingpoint approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@keaton185 @dreid @Natim @robert-mings @adamchainz @jordan-chalupka @sph-floatingpoint