We use okta-jwt-verifier
(Python) for OAuth token verification. There is an open issue github dot com/okta/okta-jwt-verifier-python/issues/54 regarding a vulnerability in one of its dependencies python-jose
. The python-jose
project seems to be abandoned github dot com/mpdavis/python-jose/issues/340.
A community member has committed a pull request github dot com/okta/okta-jwt-verifier-python/pull/59 that replaces the python-jose
dependency with pyjwt
.
Could we get a maintainer of okta-jwt-verifier
from Okta to review and/or comment on the PR? Can we get a comment on the issue if the PR cannot be merged? This library is recommended in the Developer docs developer.okta dot com/docs/guides/validate-access-tokens/python/main/#decode-and-validate-the-access-token. The community needs to know if Okta plans to maintain the library or if plans should be made to migrate away from it.