Skip to content

Commit 93514cb

Browse files
MatthewJamisonJSbenoit-cty
authored andcommitted
fix: migrate authlib.jose to joserfc (#1197)
authlib.jose emits AuthlibDeprecationWarning and will be incompatible before authlib 2.0.0. Replace with joserfc, the authlib-recommended successor library. Changes: - codecarbon/cli/auth.py: KeySet.import_key_set + jwt.decode + JWTClaimsRegistry().validate() for access-token validation - carbonserver oidc_auth_provider.py: same migration in _decode_token - Add joserfc>=1.0.0 to lib and server dependencies - Update cli auth tests to patch joserfc.jwk.KeySet instead of authlib.jose.JsonWebKey; token.claims now an attribute, not a dict with validate() method
1 parent 786db5c commit 93514cb

7 files changed

Lines changed: 21 additions & 14 deletions

File tree

carbonserver/carbonserver/api/services/auth_providers/oidc_auth_provider.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,10 @@
99
from typing import Any, Dict, Optional, Tuple
1010

1111
from authlib.integrations.starlette_client import OAuth
12-
from authlib.jose import JsonWebKey
13-
from authlib.jose import jwt as jose_jwt
1412
from fastapi import Response
1513
from fief_client import FiefAsync
14+
from joserfc import jwt as jose_jwt
15+
from joserfc.jwk import KeySet
1616

1717
from carbonserver.config import settings
1818

@@ -63,10 +63,10 @@ async def _decode_token(self, token: str) -> Dict[str, Any]:
6363
...
6464

6565
jwks_data = await self.client.fetch_jwk_set()
66-
keyset = JsonWebKey.import_key_set(jwks_data)
67-
claims = jose_jwt.decode(token, keyset)
68-
claims.validate()
69-
return dict(claims)
66+
keyset = KeySet.import_key_set(jwks_data)
67+
decoded = jose_jwt.decode(token, keyset)
68+
jose_jwt.JWTClaimsRegistry().validate(decoded.claims)
69+
return dict(decoded.claims)
7070

7171
async def validate_access_token(self, token: str) -> bool:
7272
await self._decode_token(token)

carbonserver/pyproject.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ dependencies = [
3737
"PyJWT",
3838
"fastapi-oidc>=0.0.9",
3939
"authlib>=1.6.6",
40+
"joserfc>=1.0.0",
4041
"itsdangerous>=2.2.0",
4142
]
4243

carbonserver/uv.lock

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codecarbon/cli/auth.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@
1616
import requests
1717
from authlib.common.security import generate_token
1818
from authlib.integrations.requests_client import OAuth2Session
19-
from authlib.jose import JsonWebKey
20-
from authlib.jose import jwt as jose_jwt
2119
from authlib.oauth2.rfc7636 import create_s256_code_challenge
20+
from joserfc import jwt as jose_jwt
21+
from joserfc.jwk import KeySet
2222

2323
AUTH_CLIENT_ID = os.environ.get(
2424
"AUTH_CLIENT_ID",
@@ -110,9 +110,9 @@ def _validate_access_token(access_token: str) -> bool:
110110
discovery = _discover_endpoints()
111111
jwks_resp = requests.get(discovery["jwks_uri"])
112112
jwks_resp.raise_for_status()
113-
keyset = JsonWebKey.import_key_set(jwks_resp.json())
114-
claims = jose_jwt.decode(access_token, keyset)
115-
claims.validate()
113+
keyset = KeySet.import_key_set(jwks_resp.json())
114+
token = jose_jwt.decode(access_token, keyset)
115+
jose_jwt.JWTClaimsRegistry().validate(token.claims)
116116
return True
117117
except requests.RequestException as exc:
118118
logger.warning(

pyproject.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ classifiers = [
2727
dependencies = [
2828
"arrow",
2929
"authlib>=1.2.1",
30+
"joserfc>=1.0.0",
3031
"click",
3132
"pandas>=2.3.3;python_version>='3.14'",
3233
"pandas;python_version<'3.14'",

tests/cli/test_cli_auth.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -90,15 +90,15 @@ def test_save_and_load_credentials(self, mock_open):
9090
self.assertEqual(loaded, tokens)
9191

9292
@patch("codecarbon.cli.auth.requests.get")
93-
@patch("codecarbon.cli.auth.JsonWebKey.import_key_set")
93+
@patch("codecarbon.cli.auth.KeySet.import_key_set")
9494
@patch("codecarbon.cli.auth.jose_jwt.decode")
9595
def test_validate_access_token_valid(
9696
self, mock_decode, mock_import_key_set, mock_get
9797
):
9898
mock_get.return_value.json.return_value = {"jwks_uri": "jwks"}
9999
mock_get.return_value.raise_for_status.return_value = None
100100
mock_import_key_set.return_value = "keyset"
101-
mock_decode.return_value.validate.return_value = None
101+
mock_decode.return_value.claims = {}
102102
with patch(
103103
"codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"}
104104
):
@@ -119,7 +119,7 @@ def test_validate_access_token_network_error_returns_true(
119119

120120
@patch("codecarbon.cli.auth._discover_endpoints", return_value={"jwks_uri": "jwks"})
121121
@patch("codecarbon.cli.auth.requests.get")
122-
@patch("codecarbon.cli.auth.JsonWebKey.import_key_set")
122+
@patch("codecarbon.cli.auth.KeySet.import_key_set")
123123
@patch(
124124
"codecarbon.cli.auth.jose_jwt.decode",
125125
side_effect=Exception("invalid"),

uv.lock

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)