-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PyJWT 2.10.0 Enforces sub
#561
Comments
Came here to create this exact issue. I was very confused when this started to occur just today in my work environment. |
I can see how not doing a hard cutoff would be a problem. I'm not opposed to a adding a way to set
This would not be feasible if you have super long lived tokens, or if you are using In terms of allowing Let me know! |
Also I'm going to link this comment I wrote in another ticket that outlines some ways that you could go about migrating |
Good call on waiting the tokens out. Sadly though, that isn't a realistic option for my particular circumstance. I went ahead and made a PR to add the functionality. |
Thanks for the PR. It has been released in version 4.7.1. Cheers! |
Recently the version of the PyJWT dependency was upgraded to 2.10.0, which adds new token verification behavior. In this version PyJWT enforces that the
sub
claim in the JWT be a string, and deems the token invalid if that verification fails (by default). This issue in PyJWT has a discussion about the change, and ways to work around it: jpadilla/pyjwt#1017I have only just now become am aware that in the JWT spec the
sub
claim is indeed supposed to be a string, and have been using an integer in that field for a long time. This upgrade naturally has caught me out, since any tokens I issue in this way are now deemed invalid and result in a rejection. I don't believe I am alone in this situation, as multiple people piled onto the aforementioned Github issue being caught by the change.To rectify the situation, it's clear that my application should start using strings for our
sub
claim. Unfortunately though, we can't simply make a hard cut over. We need preexisting tokens which haven't expired to continue to be valid. This means we need to be able to verify and parse older tokens that will havesub
as anint
. Right now, I'm not seeing any way to accomplish this besides pinning PyJWT to 2.9.0.The recommended way (from PyJWT contributors) to navigate this seems to be specifying
verify_sub=False
as an option to theirjwt.decode
function per this comment. As a user of flask-jwt-extended, the high level functionsverify_jwt_in_request
andjwt_required
don't seem to provide any way in the current API to control options likeverify_sub
(or any other low level options) in the underlying calls to PyJWT.I took a look at the code, and I can see many possible avenues for adding such functionality (if desired). Before putting together a PR or anything, I figured I'd first ask:
Let me know what you think, thanks in advance for the feedback!
The text was updated successfully, but these errors were encountered: