Vulnerability in okta-jwt-verifier dependency python-jose

mlambert_zp · July 24, 2024, 2:51pm

We use okta-jwt-verifier (Python) for OAuth token verification. There is an open issue github dot com/okta/okta-jwt-verifier-python/issues/54 regarding a vulnerability in one of its dependencies python-jose. The python-jose project seems to be abandoned github dot com/mpdavis/python-jose/issues/340.

A community member has committed a pull request github dot com/okta/okta-jwt-verifier-python/pull/59 that replaces the python-jose dependency with pyjwt.

Could we get a maintainer of okta-jwt-verifier from Okta to review and/or comment on the PR? Can we get a comment on the issue if the PR cannot be merged? This library is recommended in the Developer docs developer.okta dot com/docs/guides/validate-access-tokens/python/main/#decode-and-validate-the-access-token. The community needs to know if Okta plans to maintain the library or if plans should be made to migrate away from it.

krina234pestro · July 26, 2024, 4:17am

Hello,

Which type of facing a critical issue with the okta-jwt-verifier library due to its dependency on the unmaintained python-jose library. Give some details so i can help you.

andrea · July 30, 2024, 4:05pm

Our security and engineering teams are aware and has added an item to their roadmap to address this vulnerability. I will look to follow up in this thread once we have an update to share.

system · August 29, 2024, 4:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.