-
Notifications
You must be signed in to change notification settings - Fork 232
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix JWS verify #189
Fix JWS verify #189
Conversation
906147d
to
d066aa6
Compare
d066aa6
to
d073ad2
Compare
Codecov Report
@@ Coverage Diff @@
## master #189 +/- ##
=======================================
Coverage 93.51% 93.51%
=======================================
Files 16 16
Lines 1728 1728
=======================================
Hits 1616 1616
Misses 112 112
Continue to review full report at Codecov.
|
Hello @blag , if this issue is the remaining blocker for a new release of python-jose, can you please tell a concrete test case you would expect? It would ease validation of this feature (or at least the impact of this change on our codebase) if you were to release a .dev0 version on pypi.org thanks again |
+1 on a .dev0 release |
Any update on a .dev0 release? |
Can you rebase your changes onto the latest |
I don't have the time to work on this anymore. |
Note: This PR description is not yet finished, and I may rewrite some of these commits, so if you pull this branch, beware that you may need to rebase any changes you make to it!
Python 2 treated bytestrings and character strings as the same thing, a mistake that was thankfully fixed in Python 3. However, this did create a dilemma when updating this codebase to run on Python 3 - should module functions return bytestrings or character strings? Many, if not all, encryption packages sidestep this issue by foisting the distinction and conversion processes onto users, however, that makes implementing robust and correct applications more difficult.
Users of this package who have been running on Python 3 have come across many sharp edges of the
bytes
/str
divide and reported them across multiple issues (#51, #153, #183, #184), and so with the update to Python 3, it has become imperative for this package to "take a stand" on the basic data structure it expects to handle.I searched through RFC 7520 for "byte", "bytes", and "binary" and found only one instance:
This indicates to me that the governing standard for this project does not want to deal with bytestrings directly, instead dealing with them indirectly via base64-urlencoding.
Python 2.7 makes base64-encoding bytestrings and strings easy, and both are base64-encoded to
str
:To summarize the types that are expected and returned:
bytes
->str
str
->str
Python 3.6 makes things more complex - users have to manually encode strings to bytes before base64-encoding them, and :
Summarizing those type expectations:
bytes
->bytes
str
-> (exception)So Python 2.7 will accept
bytes
andstr
and returns astr
, but Python 3 only acceptsbytes
and returnsbytes
. This impacts everybody who is using Python 3, not just users of this library. Unfortunately, it's not the behavior we would like.