python-jose icon indicating copy to clipboard operation
python-jose copied to clipboard
verified publisher icon mpdavis

Question: Why use python-jose over pyjwt?

Open sirosen opened this issue 8 years ago • 7 comments

It would be nice to have a section of the readme dedicated to explaining why one might use this project instead of pyjwt, especially since it says it was based on pyjwt. This seems particularly salient since pyjwt has a larger community of contributors.

My team started using python-jose because it supports using JWKs to validate JWTs. At the time, pyjwt did not support JWKs. However, since that time, pyjwt has added this feature, and I'm no longer sure which one is the right choice for us.

sirosen avatar Sep 12 '17 04:09 sirosen

I second this. Worth noting is that PyJWT's JWK support is undocumented (afaik). Also worth noting is the remarks that PyJWT has on this page: https://jwt.io/ According to that page, PyJWT fails to check 2 things in the token (for security).

fgblomqvist avatar Oct 11 '17 23:10 fgblomqvist

Friendly ping? :-)

edmorley avatar Feb 14 '19 17:02 edmorley

Worth sharing: pyjwt does not support verification of the OIDC at_hash, nor does it easily expose a way to validate it. (The hash algorithm needs to be easy to access / invoke for this to work well).

So if you're working with OIDC, python-jose might appeal for that reason. Our team is using both pyjwt and python-jose, in different projects.

sirosen avatar Feb 14 '19 17:02 sirosen

well, it sounds understandable, now I am confidently decided to learn JWT with 'python-jose'. Thanks for explanation

AbdusamadAbdullaxanov avatar May 11 '22 09:05 AbdusamadAbdullaxanov