-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade golang-jwt to v5 #1601
base: main
Are you sure you want to change the base?
Upgrade golang-jwt to v5 #1601
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1601 +/- ##
==========================================
+ Coverage 86.27% 86.37% +0.10%
==========================================
Files 87 86 -1
Lines 8239 8226 -13
==========================================
- Hits 7107 7104 -3
+ Misses 798 791 -7
+ Partials 334 331 -3 ☔ View full report in Codecov by Sentry. |
internal/authn/oidc/oidc.go
Outdated
} | ||
|
||
validIssuers := []string{oidc.MainIssuer} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: this line can be combined with the next line.
@@ -4,13 +4,13 @@ go 1.21.9 | |||
|
|||
require ( | |||
github.com/Masterminds/squirrel v1.5.4 | |||
github.com/MicahParks/keyfunc v1.9.0 | |||
github.com/MicahParks/keyfunc/v2 v2.0.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please upgrade to v3: https://github.com/MicahParks/keyfunc/tree/v3.3.2
internal/authn/oidc/oidc.go
Outdated
if err := jwt.NewValidator(jwt.WithIssuedAt()).Validate(claims); err != nil { | ||
return nil, errInvalidToken | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can get rid of this block and change line 74 to
jwtParser := jwt.NewParser(
jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
jwt.WithIssuedAt(),
)
Also, please add jwt.WithExpirationRequired(),
and add a test for that.
if err := jwt.NewValidator(jwt.WithAudience(oidc.Audience)).Validate(claims); err != nil { | ||
return nil, errInvalidAudience |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thought (not for this PR): i think we shot ourselves in the foot by having all these custom error codes. The code would be much simpler and therefore more secure if we performed all validations in one go:
jwtParser := jwt.NewParser(
jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
jwt.WithIssuedAt(),
jwt.WithExpirationRequired(),
jwt.WithAudience(config.Audience),
)
if err != nil || !token.Valid{
return nil, errInvalidToken
}
:(
Description
This PR addresses #1396
It upgrades golang-jwt to v5 and MicahParks/keyfunc to v2.0.3
References
https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md#parsing-and-validation-options
https://github.com/MicahParks/keyfunc/releases/tag/v2.0.0
Review Checklist
main