Vulnerability in okta-jwt-verifier dependency python-jose

We use okta-jwt-verifier (Python) for OAuth token verification. There is an open issue github dot com/okta/okta-jwt-verifier-python/issues/54 regarding a vulnerability in one of its dependencies python-jose. The python-jose project seems to be abandoned github dot com/mpdavis/python-jose/issues/340.

A community member has committed a pull request github dot com/okta/okta-jwt-verifier-python/pull/59 that replaces the python-jose dependency with pyjwt.

Could we get a maintainer of okta-jwt-verifier from Okta to review and/or comment on the PR? Can we get a comment on the issue if the PR cannot be merged? This library is recommended in the Developer docs developer.okta dot com/docs/guides/validate-access-tokens/python/main/#decode-and-validate-the-access-token. The community needs to know if Okta plans to maintain the library or if plans should be made to migrate away from it.

Hello,

Which type of facing a critical issue with the okta-jwt-verifier library due to its dependency on the unmaintained python-jose library. Give some details so i can help you.

Our security and engineering teams are aware and has added an item to their roadmap to address this vulnerability. I will look to follow up in this thread once we have an update to share.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Sorry for the delay closing the loop on this one!

We actually published a new version of our Python JWT verifier back in August, removing python-jose (mentioned here). Github Release Notes for v0.2.7 includes details for the missing releases on the Github Repo, including the removal of python-jose