Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch from itsdangerous to another JWT library #6224

Closed
conorsch opened this issue Jan 13, 2022 · 2 comments · Fixed by #6403
Closed

Switch from itsdangerous to another JWT library #6224

conorsch opened this issue Jan 13, 2022 · 2 comments · Fixed by #6403
Assignees
@legoktm

Comments

@conorsch
Copy link
Contributor

Description

An upcoming release of itsdangerous, 2.1, will drop support for JSON Web Signatures. The project maintainers recommend switching to authlib instead. Encountered the deprecation notice while performing a diff review. See this relevant GitHub issue with maintainer comments.
@conorsch conorsch mentioned this issue Jan 13, 2022
Merged
33 tasks
@legoktm
Copy link
Member

legoktm commented Jan 19, 2022

I'm still looking around, but authlib seems very heavy for our pretty minimal needs. I think something smaller that just does JWT/JWS might be a better fit? E.g. https://github.com/jpadilla/pyjwt

Via tokei, authlib is 17K Python LOC, while pyjwt is 1.6K (just the library, excluding tests).

@legoktm legoktm self-assigned this Feb 11, 2022
@legoktm
Copy link
Member

legoktm commented Feb 12, 2022

I reviewed the libraries listed at https://jwt.io/libraries?language=Python:

  • pyjwt: Clean and straightforward API, code looked to be implemented correctly. No red flags in past security issues.
  • python-jose: fork of pyjwt without clear justification, didn't seem to be any significant improvement
  • jwcrypto: Not a fan of the API, seems harder to use than pyjwt
  • authlib: contains a bunch of auth-related things, really overkill for what we need.

I'll push a PR to use pyjwt in a few minutes.

@legoktm legoktm changed the title Switch from itsdangerous to authlib Switch from itsdangerous to another JWT library Feb 12, 2022
legoktm added a commit that referenced this issue Feb 12, 2022
@legoktm
Use pyjwt for API tokens instead of itsdangerous's deprecated code
0354dd0 
itsdangerous deprecated TimedJSONWebSignatureSerializer in 2.0 and has
entirely removed it in 2.1, so we need to switch to something else. They
recommended authlib, except that's a pretty large general-purpose
authentication library.

pyjwt is a smallish (1k LOC) library that just provides JWT/JWS
functionality. For the HS512 algorithm, it uses the same implementation
from hashlib in the Python standard library as itsdangerous did.

Tests are provided to verify successful operation as well as different
failure modes, such as invalid tokens, incorrect secret key, wrong
algorithm, and lack of an expiry.

Tokens generated by itsdangerous are not decodable by pyjwt because
itsdangerous passed the expiry as a header while pyjwt includes the
expiry in the body/payload itself. This shouldn't be a significant issue
since these tokens already expire after 8 hours.

Fixes #6224.
@legoktm legoktm mentioned this issue Feb 12, 2022
Closed
8 tasks
@legoktm legoktm mentioned this issue Aug 18, 2022
Merged
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legoktm legoktm

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@legoktm @conorsch