-
-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sub must be a string now? #1017
Comments
#1005 most likely. We also stumbled over having Setting |
I'm also facing this issue with my flask website with Flask-JWT-Extended. {
"msg": "Subject must be a string"
} Downgraded to PS: wrote very verbosely for others facing the same issues and searching around. |
We just ran into this issue, thankfully our tests caught it before pushing to production. Pinning to |
Hello, We had this breaking change as well, but adopted the 2.10 version nonetheless as it was simple to fix |
We are affected by this change as well via Flask-JWT-Extended. |
This change caused all our protected requests to fail with 401. We caught it on dev environment, luckily. |
is it normal that a csrf field now appears in the web token from 2.10.0 whereas it was not there before ? |
Same issue here. Downgraded to 2.90 |
@ChronoDK The "sub" claim if present should indeed be a string according to the JWT RTF:
So in that sense the validation logic is correct to throw an error. As for all other JWT claim validations, these validations are turned on by default (see #1005), so I can imagine it might have broken some code. In case no I'm not author that built this functionality, but I was suggesting the 2.10.0 version number in my PR, to get some of the new functionality available through an official release. So my apologies if the version number created the wrong expectations, and broke any code. To go back to the old behaviour of 2.9.0 and below, just add the following as @WolfgangFellger already suggested: my_jwt = "JWTGoesHere"
jwt.decode(my_jwt, options={"verify_sub": False, "verify_jti": False}) Or start using the new validation functionality: my_jwt = "JWTGoesHere"
my_expected_subject = "someSubject"
jwt.decode(my_jwt, subject=my_expected_subject) |
Hi everyone, I appreciate the feedback regarding the I understand that this change may have caused issues for some users whose JWTs contain non-string To address this you can follow the steps mentioned by @benvdh-incentro or @WolfgangFellger or refer to the solution provided here Thank you for bringing this to my attention. |
Hi. FWIW, having been tripped on Apache Superset, we have been able to followup on your reference to flask-jwt-extended. Thank you very much, @Divan009. Coming from there, and after receiving support on apache/superset#30995, the right solution for us was to update to flask-jwt-extended 4.7.1 released two days ago, and configure |
- PyJWT < 2.10.0 is required due to jpadilla/pyjwt#1017 - increase leeway for mwoauth.identify function because the default value of 10.0 seconds is too low sometimes - add __repr__ method for LoginManager Bug: T380270 Change-Id: Ie7fadb26f5a3947343feb302f58098d266af2fee
I think this change is indeed breaking, and it should have been introduced gradually:
Fortunately, we've encountered this problem while running tests. However, I can imagine how it can make millions of existing tokens to suddenly become invalid, with no obvious way to recover from that. It seems that the most popular solution now is to stick to I suggest disabling the validation by default in the next release to recover from that. |
Also, it seems that
For a typical app using JWT with non-string `sub' claim this would mean that users will be able to login without error, but all authenticated API calls will cause an exception. |
@andreyfedoseev thank you so much for that last callout on the invalid jwt being encoded, you just saved me who knows how long of digging! |
All MediaWiki sites use numerical values for subjects "sub" and therefore oauth access fails with pyjwt 2.10 because of this breaking change. I don't think it's up to a package to enforce the validity of the "sub" content with the specification except this is explicitly wanted e.g. using a "strict" parameter or sth. like that. |
Same issue with jwt flask extended package. Had to downgrade package version after spending hours debugging. |
The latest version has a new option which allows you to configure the behavior. JWT_VERIFY_SUB |
does |
I'm using Flask-JWT-Extended. I'm also experiencing this issue in release testing. the new detection for sub in 2.9.0 -> 2.10.0 doesn't seem to be very smooth. I'm currently rolling back to 2.9.0 to get around it. |
If you configure |
Thank you for your quick reply, I followed your instructions to implement them and they are working well so far, thank you for your work. |
It seems there is a breaking change in 2.10.0 - sub must be a string now. Is this intentional? Not sure how to handle this change for now, except keep using 2.9.0.
The text was updated successfully, but these errors were encountered: