Switch from python-jose to pyjwt

[siebediels]

Is there a plan to migrate from python-jose to pyjwt? Python-jose isn't maintained any more and contains some known vulnerabilities.

I noticed that there was some effort done in #41 , but not sure what happened to it. As an intermediate solution, we could perhaps move to python-jose[cryptography] which is already recommended above the default python-jose (with Python backend)?

[spawn-guy]

@siebediels i just tested locally these modifications in #41 and they just work out-of-the-box.

there could be some improvements regarding Pydantic-v2 but otherwise looks working (with valid tokens)

i'd just merge that one PR and go ahead

[spawn-guy]

if needed - i can make a PR. for now i have a working local version of code. just ask ;)

[spawn-guy]

aaight... lezz do this #43

[spawn-guy]

i've made some updates and some more fixes to the PR. enforced some verifications by default, unless a developer overrides them explicitly.
now - i like it. lets wait for the @dorinclisu to come back to us

additionally, i'd like to remove the email namespace parsing. to get the email you need to call Auth0Management API directly. i think. also this is private data leak if one includes the email in tokens (so be careful)

[spawn-guy]

bump.

unfortunately, no activity on my PR :(