Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Subject must be a string! #557

Closed
kwagdy opened this issue Nov 18, 2024 · 6 comments
Closed

Error: Subject must be a string! #557

kwagdy opened this issue Nov 18, 2024 · 6 comments

Comments

@kwagdy
Copy link

kwagdy commented Nov 18, 2024

We have been using flask-jwt-extended to manage JWT tokens for a few months now, we made a quick recent update to a separate part of our code, unrelated to the JWT. However, we started seeing this error Subject must be a string during login phase (and token management), which is fired by the function declared under invalid_token_loader that fires when an invalid JWT is encountered. The error refers to the line set_access_cookies(identity=u_token) in the following code section:

resp = make_response(redirect(url_for("home")))
u_token={}
u_token['user_id']=user.id
u_token['role]=user.role
u_token['c_id]=cAuto.id
access_token = create_access_token(identity=u_token)
refresh_token = create_refresh_token(identity=u_token)

set_access_cookies(resp, access_token, max_age=60*60*24) # <--- Error fires here!
set_refresh_cookies(resp, access_token, max_age=60*60*24*7)

It seems that it expects a string. When we change the passed parameter momentarily to a string, the line passes without error. However, as per the docs, it's ok to add any JSON serializable data to identity:

create_access_token - identity: The identity of this token. It can be any data that is json serializable. You can use user_identity_loader() to define a callback function to convert any object passed in into a json serializable format.

Although we haven't changed any part of the code related to JWT. And the fact that it has been running all the past months without issues. This made our primary suspicion to be one of the dependencies that we might have failed to set a specific version for, in case it was updated recently causing the issue, but it seems we already have the versions in for the JWT related libraries, at least to our knowledge.

This might be a shot in the dark, but we don't see that this might be caused by other libraries at this point, appreciate your help!

For reference here is our requirements.txt:

appengine-python-standard
Flask==2.1.3
gunicorn
passlib
Jinja2
Flask-JWT-Extended==4.3.0
Werkzeug==2.0.0
requests
python-dateutil
google-cloud-logging
google-cloud-datastore
google-cloud-storage
google-cloud-core
iso8601
firebase_admin
reportlab
arabic_reshaper
python-bidi
@nathanganser
Copy link

Same issue for us, pretty critical. Still investigating what's going on.

https://pypi.org/project/Flask/#history Flask updated some code recently, might be related to that. still investigating..

@manisandro
Copy link

This is due to the just released pyjwt-2.10.0 [1] which adds the sub claim validation [2]. According to the spec [3]

The "sub" value is a case-sensitive string containing a StringOrURI value

so the validation is correct. So either the flask-jwt-extended documentation should be fixed, or JWT_IDENTITY_CLAIM should default to something else than sub, or create_access_token and get_jwt_identity should internally json-serialize/deserialize.

@nathanganser
Copy link

So quickfix is to add
PyJWT==2.9.0
at the top of your requirements.txt file

@vimalloc
Copy link
Owner

Thanks for the report!

I am going to update the documentation and release a new version outlining the difference, but I don't plan to break away from the underlying PyJWT implementation or JWT spec for this case. For now if you're affected by this issue, I would recommend pinning PyJWT to an earlier version, and then updating your application as needed to make sub a string.

manisandro added a commit to qwc-services/qwc-services-core that referenced this issue Nov 18, 2024
@manisandro
Rename JWT_IDENTITY_CLAIM (vimalloc/flask-jwt-extended#557)
35e4276
@vimalloc vimalloc mentioned this issue Nov 18, 2024
Merged
@vimalloc
Copy link
Owner

4.7.0 has been published, which now documents that identity must either a string, or you must use the user_identity_loader to convert your object a string.

If you have issues making this change in your applications for whatever reason feel free to let me know. I think it will hopefully be pretty straightforward, but if you run into any unexpected complexities I would be happy to try and help resolve them with you.

Cheers!

@kwagdy
Copy link
Author

kwagdy commented Nov 18, 2024

Oh wow you guys are quite active! appreciate the quick turn around!
We started to convert the identity to string, and we will later move the other claims to additional_claims parameter.
Thank you!

t-h2o added a commit to t-h2o/matcha that referenced this issue Nov 19, 2024
@t-h2o
requirements: hotfix jwt
35bb1eb 
vimalloc/flask-jwt-extended#557
RobinBurri added a commit to t-h2o/matcha that referenced this issue Nov 19, 2024
@t-h2o @RobinBurri
Websocket setup (#96)
aa3d880 
* requirements: import flask-socketio

* backend: socket io

* add socket.io to angular

* add socket-flask to requirment.txt.

* add socket test code in angular

* socket working

* create routers folder

* import other blueprint

* move populate in backend folder

* requirements: hotfix jwt

vimalloc/flask-jwt-extended#557

* Revert "revert me: remove angular"

This reverts commit 9072317.

* docs: debug

* app: add images

---------

Co-authored-by: @ <@>
Co-authored-by: Robin Burri <robinburri@tutanota.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vimalloc @manisandro @kwagdy @nathanganser