diff --git a/frappe/oauth.py b/frappe/oauth.py
index a4c66bf3f2..67d346ad8a 100644
--- a/frappe/oauth.py
+++ b/frappe/oauth.py
@@ -486,6 +486,7 @@ class OAuthWebRequestValidator(RequestValidator):
 				user = None
 				payload = jwt.decode(
 					id_token_hint,
+					algorithms=["HS256"],
 					options={
 						"verify_signature": False,
 						"verify_aud": False,
@@ -508,7 +509,7 @@ class OAuthWebRequestValidator(RequestValidator):
 						id_token_hint,
 						key=client_secret,
 						audience=client_id,
-						algorithm="HS256",
+						algorithms=["HS256"],
 						options={
 							"verify_exp": False,
 						},
diff --git a/frappe/tests/test_oauth20.py b/frappe/tests/test_oauth20.py
index cf3b2ea90d..2a5bed34b3 100644
--- a/frappe/tests/test_oauth20.py
+++ b/frappe/tests/test_oauth20.py
@@ -302,7 +302,7 @@ class TestOAuth20(unittest.TestCase):
 			id_token,
 			audience=client.client_id,
 			key=client.client_secret,
-			algorithm="HS256",
+			algorithms=["HS256"],
 		)
 
 		self.assertTrue(payload.get("nonce") == nonce)
diff --git a/frappe/utils/oauth.py b/frappe/utils/oauth.py
index 45cce737e1..9f5ff9d360 100644
--- a/frappe/utils/oauth.py
+++ b/frappe/utils/oauth.py
@@ -134,7 +134,7 @@ def get_info_via_oauth(provider, code, decoder=None, id_token=False):
 
 		token = parsed_access['id_token']
 
-		info = jwt.decode(token, flow.client_secret, verify=False)
+		info = jwt.decode(token, flow.client_secret, options={"verify_signature": False})
 	else:
 		api_endpoint = oauth2_providers[provider].get("api_endpoint")
 		api_endpoint_args = oauth2_providers[provider].get("api_endpoint_args")
diff --git a/requirements.txt b/requirements.txt
index 8b1d9e649d..0791f01b27 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -43,7 +43,7 @@ psutil~=5.8.0
 psycopg2-binary~=2.8.6
 pyasn1~=0.4.8
 pycryptodome~=3.10.1
-PyJWT~=1.7.1
+PyJWT~=2.0.1
 PyMySQL~=1.0.2
 pyngrok~=5.0.5
 pyOpenSSL~=20.0.1