Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade golang-jwt to v5 #1601

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Upgrade golang-jwt to v5 #1601

wants to merge 7 commits into from

Conversation

ilaleksin
Copy link
Contributor

Description

This PR addresses #1396
It upgrades golang-jwt to v5 and MicahParks/keyfunc to v2.0.3

  • refactored JWT claims to align with jwt v5 interface.
  • added a separate WithIssuedAt validation because the iat claim check was removed from jwt.Parse() function
  • added one unit test to verify a case when iss alias is set but the JWT iss claim has the original issuer value
  • keyfunc is upgraded to v2 because it depends on golang-jwt v5 while keyfunc v1 depends on golang-jwt v4

References

https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md#parsing-and-validation-options
https://github.com/MicahParks/keyfunc/releases/tag/v2.0.0

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

@ilaleksin ilaleksin requested a review from a team as a code owner May 6, 2024 18:03
@ilaleksin ilaleksin changed the title Draft: Upgrade to golang-jwt v5 Draft: Upgrade golang-jwt to v5 May 6, 2024
@codecov Codecov
Copy link

codecov bot commented May 6, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.37%. Comparing base (fa4ff8d) to head (4a3e97f).
Report is 6 commits behind head on main.

❗ Current head 4a3e97f differs from pull request most recent head 7b5bea9. Consider uploading reports for the commit 7b5bea9 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1601      +/-   ##
==========================================
+ Coverage   86.27%   86.37%   +0.10%     
==========================================
  Files          87       86       -1     
  Lines        8239     8226      -13     
==========================================
- Hits         7107     7104       -3     
+ Misses        798      791       -7     
+ Partials      334      331       -3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ilaleksin ilaleksin changed the title Draft: Upgrade golang-jwt to v5 Upgrade golang-jwt to v5 May 6, 2024
adriantam
adriantam reviewed May 7, 2024
View reviewed changes
internal/authn/oidc/oidc.go Outdated
}

validIssuers := []string{oidc.MainIssuer}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: this line can be combined with the next line.

miparnisari
miparnisari requested changes May 7, 2024
View reviewed changes
go.mod
@@ -4,13 +4,13 @@ go 1.21.9

require (
github.com/Masterminds/squirrel v1.5.4
github.com/MicahParks/keyfunc v1.9.0
github.com/MicahParks/keyfunc/v2 v2.0.3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please upgrade to v3: https://github.com/MicahParks/keyfunc/tree/v3.3.2

internal/authn/oidc/oidc.go Outdated Show resolved Hide resolved
internal/authn/oidc/oidc.go Outdated
Comment on lines 91 to 93
if err := jwt.NewValidator(jwt.WithIssuedAt()).Validate(claims); err != nil {
return nil, errInvalidToken
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can get rid of this block and change line 74 to

jwtParser := jwt.NewParser(
		jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
		jwt.WithIssuedAt(),
	)

Also, please add jwt.WithExpirationRequired(), and add a test for that.

internal/authn/oidc/oidc.go
Comment on lines +107 to 108
if err := jwt.NewValidator(jwt.WithAudience(oidc.Audience)).Validate(claims); err != nil {
return nil, errInvalidAudience
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thought (not for this PR): i think we shot ourselves in the foot by having all these custom error codes. The code would be much simpler and therefore more secure if we performed all validations in one go:

jwtParser := jwt.NewParser(
		jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
		jwt.WithIssuedAt(),
		jwt.WithExpirationRequired(),
		jwt.WithAudience(config.Audience),
	)
if err != nil  || !token.Valid{
	return nil, errInvalidToken
}

:(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriantam adriantam adriantam left review comments

@miparnisari miparnisari miparnisari requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ilaleksin @miparnisari @adriantam