Upgrade go-jose to fix CVE-2024-28180

[bcandeias]

Two weeks ago github.com/go-jose/go-jose released v.4.0.1 to fix a published vulnerability (CVE-2024-28180.

This is issue is to bump the dependency from v3.0.1 to v4.0.1.

(I can do a pull request with the bump)

[bcandeias]

I just realised that the API also changes, which likely means a go-oidc v4 as well.

The big difference is that jose.ParseSigned now requires the SignatureAlgorithm.

# github.com/coreos/go-oidc/v3/oidc
oidc/jwks.go:28:31: not enough arguments in call to jose.ParseSigned
	have (string)
	want (string, []jose.SignatureAlgorithm)

Trying to figure out what should we do here as it really doesn't make sense from an API perspective to request this when the string JWT has that encoded.

[ericchiang]

go-oidc intentional doesn't export anything that references its
JWT package, so it's fine to change the dependency without releasing a major version bump. We did that in the past when go-jose changed it's import path.

I can take a crack at updating. If I'm reading the new signature right this might actually fix #356 as well

Regardless, the CVE is for JWE implementation issues which this package doesn't use. v3.0.3 also appears to have the fix.

[bcandeias]

Regardless, the CVE is for JWE implementation issues which this package doesn't use. v3.0.3 also appears to have the fix.

Fair point. I didn't validate whether it was being used or not, and I was also being misled by the v4.0.1 release notes. #418 does the bump, but I tried to take a stab at using 4.0.1 (the one where the API changes). In interest of enabling #356 I can try contributing.