Background
PR #1536 upgrades authlib from 1.6.9 to 1.7.0 to address a CVE. However, authlib 1.7.0 introduces breaking changes that require follow-up work.
Requested by: @tisnik
Related PR: #1536
Related comment: #1536 (comment)
Problem
authlib 1.7.0 deprecates the authlib.jose module in favor of the standalone joserfc library. Several OAuth2/OIDC modules now internally use joserfc, causing breaking changes in exception handling.
The current codebase in src/authentication/jwk_token.py directly imports from the deprecated authlib.jose module:
JsonWebKey, JsonWebToken from authlib.jose
- Exception classes:
BadSignatureError, DecodeError, ExpiredTokenError, etc. from authlib.jose.errors
In authlib 1.7.0, affected modules now raise joserfc-based exceptions instead of authlib.jose.errors, which may cause silent failures or unhandled exceptions.
Tasks
References
Background
PR #1536 upgrades
authlibfrom1.6.9to1.7.0to address a CVE. However,authlib 1.7.0introduces breaking changes that require follow-up work.Requested by: @tisnik
Related PR: #1536
Related comment: #1536 (comment)
Problem
authlib 1.7.0deprecates theauthlib.josemodule in favor of the standalonejoserfclibrary. Several OAuth2/OIDC modules now internally usejoserfc, causing breaking changes in exception handling.The current codebase in
src/authentication/jwk_token.pydirectly imports from the deprecatedauthlib.josemodule:JsonWebKey,JsonWebTokenfromauthlib.joseBadSignatureError,DecodeError,ExpiredTokenError, etc. fromauthlib.jose.errorsIn
authlib 1.7.0, affected modules now raisejoserfc-based exceptions instead ofauthlib.jose.errors, which may cause silent failures or unhandled exceptions.Tasks
src/authentication/jwk_token.pyfor allauthlib.joseimports and usagesauthlib 1.7.0's joserfc integration (run tests with the new version)joserfc.errorsequivalents (e.g., replacefrom authlib.jose.errors import JoseErrorwithfrom joserfc.errors import JoseError), orjoserfcAPIs directlypyproject.tomlfloor fromauthlib>=1.6.0toauthlib>=1.7.0to match the pinned version inrequirements.hashes.source.txtReferences