Problem in Apache Superset: PyJWT 2.10 changed semantics, Flask-JWT-Extended 4.7.1 needs a configuration change

[amotl]

Problem

When setting up a fresh sandbox environment, PyJWT 2.10 gets installed, released on Nov 17, i.e. five days ago. That breaks a little integration test suite against Apache Superset we are running.

The initial discovery was reported here:

• Software tests start failing with Apache Superset 3.x/4.x and PyJWT 2.10 crate/cratedb-examples#741

The detailed report and investigation happened here:

• Problem with PyJWT 2.10: {'msg': 'Subject must be a string'} apache/superset#30995

Solution

@jlucier and @vimalloc suggested at apache/superset#30995 (comment):

Have you configured flask-jwt-extended to not verify the sub claim? 'JWT_VERIFY_SUB=False'.

That probably needs to take place after upgrading to Flask-JWT-Extended 4.7.1, which includes relevant code updates?

[amotl]

We have been able to resolve this by updating to Flask-JWT-Extended 4.7.1 and configuring it using JWT_VERIFY_SUB = False.

• Problem with PyJWT 2.10: {'msg': 'Subject must be a string'} apache/superset#30995 (comment)
• Apache Superset: Fix JWT problem by updating to flask-jwt-extended 4.7.1 crate/cratedb-examples#749

[michael-s-molina]

@dpgaspar This change will break API use cases in Superset. Will this be handled by Flask AppBuilder or do we need to add a default configuration in Superset?