Merge pull request #123 from oslokommune/bump-python-keycloak

Bump python-keycloak to remove python-jose
oslokommune · Apr 10, 2024 · 69f51f6 · 69f51f6
2 parents db85cf9 + 59c9bf8
commit 69f51f6
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## ?.?.? - Unreleased
+
+* Removed dependency on the vulnerable (and seemingly abandoned) python-jose
+  library.
+
 ## 3.1.0 - 2024-01-10
 
 * New method `Dataset.auto_create_edition` for creating a new edition with an

diff --git a/okdata/sdk/auth/credentials/client_credentials.py b/okdata/sdk/auth/credentials/client_credentials.py
@@ -1,7 +1,7 @@
 from dataclasses import dataclass
 from typing import Optional
 
-from keycloak.exceptions import KeycloakGetError  # type: ignore
+from keycloak.exceptions import KeycloakPostError  # type: ignore
 from keycloak.keycloak_openid import KeycloakOpenID  # type: ignore
 
 from okdata.sdk.auth.credentials.common import (
@@ -35,7 +35,7 @@ def __post_init__(self):
     def refresh_token(self, refresh_token):
         try:
             return self.client.refresh_token(refresh_token=refresh_token)
-        except KeycloakGetError as e:
+        except KeycloakPostError as e:
             raise TokenRefreshError(str(e))
 
     def new_token(self):

diff --git a/requirements.txt b/requirements.txt
@@ -8,36 +8,39 @@ attrs==21.4.0
     # via jsonschema
 certifi==2023.7.22
     # via requests
+cffi==1.16.0
+    # via cryptography
 charset-normalizer==2.0.12
     # via requests
-ecdsa==0.17.0
-    # via python-jose
+cryptography==42.0.5
+    # via jwcrypto
+deprecation==2.1.0
+    # via python-keycloak
 idna==3.3
     # via requests
 jsonschema==4.4.0
     # via okdata-sdk (setup.py)
-pyasn1==0.4.8
-    # via
-    #   python-jose
-    #   rsa
+jwcrypto==1.5.6
+    # via python-keycloak
+packaging==24.0
+    # via deprecation
+pycparser==2.22
+    # via cffi
 pyjwt==2.4.0
     # via okdata-sdk (setup.py)
 pyrsistent==0.18.1
     # via jsonschema
-python-jose==3.3.0
-    # via
-    #   okdata-sdk (setup.py)
-    #   python-keycloak
-python-keycloak==0.27.0
+python-keycloak==3.11.1
     # via okdata-sdk (setup.py)
 requests==2.31.0
     # via
     #   okdata-sdk (setup.py)
     #   python-keycloak
-rsa==4.8
-    # via python-jose
-six==1.16.0
-    # via ecdsa
+    #   requests-toolbelt
+requests-toolbelt==1.0.0
+    # via python-keycloak
+typing-extensions==4.11.0
+    # via jwcrypto
 urllib3==1.26.18
     # via
     #   okdata-sdk (setup.py)

diff --git a/setup.py b/setup.py
@@ -20,8 +20,9 @@
     install_requires=[
         "jsonschema",
         "PyJWT>=2.0.0",
-        "python-jose>=3.1.0,<4.0.0",
-        "python-keycloak",
+        # Versions prior to 3.9.1 depends on the vulnerable (and seemingly
+        # abandoned) python-jose library.
+        "python-keycloak>=3.9.1,<4",
         "requests>=2.25,<3",
         "urllib3>=1.26,<2",
     ],