Comprehensive Empirical Study of Python JWT Libraries

Abstract

JSON Web Token (JWT) is a simple, compact way to share claims in a space-constrained environment. JWT is part of the interoperable JSON-based identity suite. Many libraries that provide JWT-based authentication and authorization exist. While the JWT standard is secure, some implementations still need to be made. This research paper delves into a comprehensive analysis of the prominent Python libraries utilized for JWT authentication. By meticulously examining these libraries, we aim to provide an in-depth understanding of their features and capabilities. Our investigation encompasses an enumeration of the distinct signing algorithms that are supported by each of these JWT Python libraries.To ensure the robustness and security of these libraries, we employ a multifaceted approach that utilizes various statistical application Security Testing (SAST) tools. These tools play a pivotal role in our assessment by not only evaluating the adherence of the codebase to the PEP8 standard but also by meticulously scanning for common security vulnerabilities and bugs that could potentially compromise the integrity of the authentication process.Our research goes beyond mere identification; we meticulously analyze each warning generated by the SAST tools, emphasizing those warnings that hold the most tremendous significance regarding potential security risks. Furthermore, our investigation extends to gauging the popularity and adoption of each library. To achieve this, we leverage GitHub statistics and harness the power of the Sourcegraph code search utility. By delving into these metrics, we gain a comprehensive view of the community’s engagement, usage trends, and overall traction of each library. In summary, this paper thoroughly explores the landscape of JWT authentication in Python, encompassing library evaluation, security assessment, warning analysis, and popularity metrics.