Currently, calling jwt.decode some keys can lead to a ValueError be raised with the message "This key may not be safe to import"":
|
if value.startswith(POSSIBLE_UNSAFE_KEYS): |
|
raise ValueError("This key may not be safe to import") |
While I am glad to learn that I can improve the security of my application, raising a ValueError adds friction on the context of a transition from authlib.jose to joserfc. I would suggest to either to:
- transform this into a warning
- add a
unsafe parameter to jwt.decode that would allow users to conscientiously permit the usage of low-quality keys. This would allow to separate the steps of migrating to joserfc and improving your keys security.
- add some form of configuration for the usage of unsafe keys somewhere?
It could also be potentially helpful to use really-low security keys in contexts of unit testing, where you want everything to go fast.
What do you think?
Currently, calling
jwt.decodesome keys can lead to aValueErrorbe raised with the message "This key may not be safe to import"":joserfc/src/joserfc/rfc7518/oct_key.py
Lines 37 to 38 in a44cd5a
While I am glad to learn that I can improve the security of my application, raising a
ValueErroradds friction on the context of a transition from authlib.jose to joserfc. I would suggest to either to:unsafeparameter tojwt.decodethat would allow users to conscientiously permit the usage of low-quality keys. This would allow to separate the steps of migrating to joserfc and improving your keys security.It could also be potentially helpful to use really-low security keys in contexts of unit testing, where you want everything to go fast.
What do you think?