Skip to content

Look into moving JWT support to PyJWT; consider whether or not we can make it a strict dependency (vs. optional) #226

@sirosen

Description

@sirosen

For JWT support, we allow users to install python-jose via the globus-sdk[jwt] extra. That makes the inclusion optional.
We made it optional because python-jose depends on pycrypto, which doesn't install cleanly without system libraries.

pyjwt is more mainstream than python-jose, and depends on cryptography. Among the many nice things about cryptography over pycrypto, it ships statically linked wheels for many platforms.

This means that a transition could do a couple of things for us:

  • Improve the security of the tools we're implicitly endorsing, moving from pycrypto (which is dead) to cryptography
  • Use deps more aligned with the CLI (which requires cryptography for delegate proxy)
  • Possibly turn jwt support on by default, making cryptography a required dependency
    • This might work on our target platforms due to the static wheels as a format
    • We would need to expand our installation documentation to include notes on installing on the rare, unsupported platforms for cryptography
      e.g. sudo apt-get install build-essential libssl-dev libffi-dev python3-dev

However, this inherently makes globus-sdk installation more prone to failure. We're relying upon cryptography to retain good support for our target platforms, and if a platform is missing we expose a lot of extra setup burden.
We need to be very confident before pursuing this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or improvementquestionA question or open discussion

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions