Skip to content

fix: replace python-jose with PyJWT for JWT handling #3756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 14, 2025
Merged

fix: replace python-jose with PyJWT for JWT handling #3756

merged 5 commits into from
Oct 14, 2025
+93 −86

Conversation

leseb
Copy link
Collaborator

@leseb leseb commented Oct 9, 2025
edited
Loading

What does this PR do?

This commit migrates the authentication system from python-jose to PyJWT to eliminate the dependency on the archived rsa package. The migration includes:

  • Refactored OAuth2TokenAuthProvider to use PyJWT's PyJWKClient for clean JWKS handling
  • Removed manual JWKS fetching, caching and key extraction logic in favor of PyJWT's built-in functionality

The new implementation is cleaner, more maintainable, and follows PyJWT best practices while maintaining full backward compatibility.

Test Plan

Unit tests. Auth CI.

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Meta Open Source bot. label Oct 9, 2025
@leseb
Copy link
Collaborator Author

leseb commented Oct 9, 2025

Opening as a draft because I want to do proper testing.

@leseb leseb changed the title fx: replace python-jose with PyJWT for JWT handling fix: replace python-jose with PyJWT for JWT handling Oct 9, 2025
@leseb leseb force-pushed the rm-python-jose-dep branch from 29f2772 to 97b409e Compare October 9, 2025 16:00
@ktdreyer
Copy link

ktdreyer commented Oct 9, 2025

From the python-jose docs, it looks like you could switch to pip install python-jose[cryptography] instead of switching the entire library?

@ktdreyer
Copy link

ktdreyer commented Oct 9, 2025

I guess I'm wrong, pyproject.toml already has "python-jose[cryptography]"?

@ktdreyer
Copy link

ktdreyer commented Oct 9, 2025

I did some testing, and even through pyproject.toml has the "python-jose[cryptography]" line, Pip still installs rsa. PyJWT look more popular, though, so 👍 from me.

@leseb leseb force-pushed the rm-python-jose-dep branch 3 times, most recently from 4df0466 to 1f50a02 Compare October 10, 2025 13:44
@leseb leseb marked this pull request as ready for review October 10, 2025 13:44
franciscojavierarceo
franciscojavierarceo reviewed Oct 10, 2025
View reviewed changes
ashwinb
ashwinb reviewed Oct 10, 2025
View reviewed changes
ashwinb
ashwinb reviewed Oct 10, 2025
View reviewed changes
leseb added 4 commits October 13, 2025 09:17
@leseb
fix: replace python-jose with PyJWT for JWT handling
7fa2bae 
This commit migrates the authentication system from python-jose to PyJWT
to eliminate the dependency on the archived rsa package. The migration
includes:

- Refactored OAuth2TokenAuthProvider to use PyJWT's PyJWKClient for
  clean JWKS handling
- Removed manual JWKS fetching, caching and key extraction logic in
  favor of PyJWT's built-in functionality

The new implementation is cleaner, more maintainable, and follows PyJWT
best practices while maintaining full backward compatibility.

Signed-off-by: Sébastien Han <[email protected]>
@leseb
fix: add support for TLS communication
f379c78 
Pass TLS certs to the PyJWKClient

Signed-off-by: Sébastien Han <[email protected]>
@leseb
fix: disable TLS verification explicitly
a1c98ca 
If verify_tls is False we disable the cert verification in the ssl
context.

Signed-off-by: Sébastien Han <[email protected]>
@leseb
fix: add token in the header for kube
dbd6e2b 
Kubernetes JWT endpoint is authenticated so we must pass the token from
the config in the PyJWKClient's client header to fetch the public keys.

Signed-off-by: Sébastien Han <[email protected]>
@leseb leseb force-pushed the rm-python-jose-dep branch from 1f50a02 to 657052b Compare October 13, 2025 08:19
@leseb leseb force-pushed the rm-python-jose-dep branch from 657052b to c314275 Compare October 13, 2025 08:25
@leseb leseb merged commit 1136daf into llamastack:main Oct 14, 2025
45 checks passed
@leseb leseb deleted the rm-python-jose-dep branch October 14, 2025 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@franciscojavierarceo franciscojavierarceo franciscojavierarceo approved these changes

@yanxi0830 yanxi0830 Awaiting requested review from yanxi0830 yanxi0830 is a code owner

@hardikjshah hardikjshah Awaiting requested review from hardikjshah hardikjshah is a code owner

@raghotham raghotham Awaiting requested review from raghotham raghotham is a code owner

@ehhuang ehhuang Awaiting requested review from ehhuang ehhuang is a code owner

@terrytangyuan terrytangyuan Awaiting requested review from terrytangyuan terrytangyuan is a code owner

@bbrowning bbrowning Awaiting requested review from bbrowning bbrowning is a code owner

@reluctantfuturist reluctantfuturist Awaiting requested review from reluctantfuturist reluctantfuturist is a code owner

@mattf mattf Awaiting requested review from mattf mattf is a code owner

@slekkala1 slekkala1 Awaiting requested review from slekkala1 slekkala1 is a code owner

@ashwinb ashwinb Awaiting requested review from ashwinb ashwinb is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@leseb @ktdreyer @ashwinb @franciscojavierarceo