Why python-jose is still recommended in the documentation when it is nearly abandoned.

[p4perf4ce]

First Check

• I added a very descriptive title here.
• I used the GitHub search to find a similar question and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

No code needs to be provided.

Description

According to this page in the documentation:
https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/

"But it was updated to use Python-jose instead as it provides all the features from PyJWT plus some extras that you might need later when building integrations with other tools."

I don't think this is still relevant because we can't even use it on python >= 3.10 because python-jose is already deprecated, see: mpdavis/python-jose#307. I suggest that we should move back to pyJWT (which is actively maintained) or continue #3305 work.

Operating System

Linux

Operating System Details

No response

FastAPI Version

0.9.5

Python Version

3.10

Additional Context

Error log:

ImportError: cannot import name 'Mapping' from 'collections' (lib/python3.10/collections/__init__.py)

[Kludex]

That should be fixed already on their behalf. I think they need to do a release?

[p4perf4ce]

Sorry to dig this up @Kludex.
It's been a year and still haven't been fixed, and now there's a severe CVE mentioned by @stefan-hoelzl below. Without a way to properly raise an issue, I think community should get some responses to this matter.

Best.

[raayu83]

Maybe https://github.com/lepture/authlib would also be an alternative?
Or https://github.com/authlib/joserfc derived from it if you just want the jose part.

[p4perf4ce]

Yeah, I ended up using authlib to handle all jwt related tasks. Just wonder why the official documentation recommends something outdated that doesn't work at a time, while there exist better alternatives.

[noorul]

authlib is listed under https://jwt.io/libraries?language=Python

[stefan-hoelzl]

I stumbled across this, because I got an security alert for ecdsa (which is a dependency of python-jose) and discovered that this vulnerability will not be fixed and out of scope of ecdsa

After some research I discovered, that my project is not affected, because I use the cryptography backend.

But it is still not a good experience when the documentation recommends a package which introduces a dependency (even if not used) to my project which has known vulnerabilities and by default relies on cryptographic libraries which are not designed for security!

[jsimonlane]

I also got an error similar to this, namely because of the ECDSA alert. Implemented a fix equivalent to the below, which fixed the issues for me.

igorbenav/FastAPI-boilerplate@4885a46

It would be super easy for us to implement this equivalent in the docs for FastAPI. I'm happy to do it if there is demand from the community?

[JohnVonNeumann]

Yo @tiangolo, can this issue get a bit of sunlight please? Appreciate that things can get busy but I feel that as a community we should be taking this type of thing seriously. Appreciate all the hard work.

[estebanx64]

Hi there

We are aware of the situation of python-jose having the last version in 2021 and the security issues about it. We will move forward to try to fix this as soon as possible, update the documentation to use another better library with active development.

[tiangolo]

This was handled by @estebanx64 in this PR, now the docs use PyJWT: #11589 🚀

[rbubley]

Now CVE-2024-33663 too

GHSA-6c5p-j8vq-pqhj

[SpoonOfDoom]

Agreed, this should probably be addressed.

[estebanx64]

We decided to move forward with PyJWT instead python-jose, the docs were updated now.

#11589

[noorul]

As per https://jwt.io/libraries?language=Python authlib seems to have more functionality.

[eddy2by4]

authlib is not free, check their pricing page.

[noorul]

That is for the paid one. But we could use the BSD licensed one.