-
-
Notifications
You must be signed in to change notification settings - Fork 692
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sub must be a string now? #1017
Comments
#1005 most likely. We also stumbled over having Setting |
I'm also facing this issue with my flask website with Flask-JWT-Extended. {
"msg": "Subject must be a string"
} Downgraded to PS: wrote very verbosely for others facing the same issues and searching around. |
We just ran into this issue, thankfully our tests caught it before pushing to production. Pinning to |
Hello, We had this breaking change as well, but adopted the 2.10 version nonetheless as it was simple to fix |
We are affected by this change as well via Flask-JWT-Extended. |
This change caused all our protected requests to fail with 401. We caught it on dev environment, luckily. |
is it normal that a csrf field now appears in the web token from 2.10.0 whereas it was not there before ? |
Same issue here. Downgraded to 2.90 |
@ChronoDK The "sub" claim if present should indeed be a string according to the JWT RTF:
So in that sense the validation logic is correct to throw an error. As for all other JWT claim validations, these validations are turned on by default (see #1005), so I can imagine it might have broken some code. In case no I'm not author that built this functionality, but I was suggesting the 2.10.0 version number in my PR, to get some of the new functionality available through an official release. So my apologies if the version number created the wrong expectations, and broke any code. To go back to the old behaviour of 2.9.0 and below, just add the following as @WolfgangFellger already suggested: my_jwt = "JWTGoesHere"
jwt.decode(my_jwt, options={"verify_sub": False, "verify_jti": False}) Or start using the new validation functionality: my_jwt = "JWTGoesHere"
my_expected_subject = "someSubject"
jwt.decode(my_jwt, subject=my_expected_subject) |
Hi everyone, I appreciate the feedback regarding the I understand that this change may have caused issues for some users whose JWTs contain non-string To address this you can follow the steps mentioned by @benvdh-incentro or @WolfgangFellger or refer to the solution provided here Thank you for bringing this to my attention. |
Hi. FWIW, having been tripped on Apache Superset, we have been able to followup on your reference to flask-jwt-extended. Thank you very much, @Divan009. Coming from there, and after receiving support on apache/superset#30995, the right solution for us was to update to flask-jwt-extended 4.7.1 released two days ago, and configure |
- PyJWT < 2.10.0 is required due to jpadilla/pyjwt#1017 - increase leeway for mwoauth.identify function because the default value of 10.0 seconds is too low sometimes - add __repr__ method for LoginManager Bug: T380270 Change-Id: Ie7fadb26f5a3947343feb302f58098d266af2fee
It seems there is a breaking change in 2.10.0 - sub must be a string now. Is this intentional? Not sure how to handle this change for now, except keep using 2.9.0.
The text was updated successfully, but these errors were encountered: