Skip to content

v1.2.7
Compare
Choose a tag to compare
@lestrrat lestrrat released this 26 Sep 06:09
· 93 commits to main since this release
v1.2.7
b929201

Lots of usability improvements around jwt.Parse() and jwt.Validate() !

v1.2.7 26 Sep 2021
[New features]
  * `jwt.InferAlgorithmFromKey()` option is now available to "guess"
    the algorithm used to verify the JWS signature on a JWT using
    a JWKS (key set). This allows you to match JWKs that do not have
    the `alg` field populated.

    We understand that some providers do not provide the `alg` field,
    which is a nuisance to users. But from a purely security minded PoV,
    we don't think that this "try until something works" approach is a
    good one, even if there are no known exploits. This is why the
    default `jwt.Parse` mechanism is unchanged, and an explicit option
    has been added.

  * Types `jwt.KeySetProvider` and `jwk.KeySetProviderFunc` have been
    added. Along with `jwt.WithKeySetProvider()` option, `jwt.Parse`
    can now choose the `jwk.Set` to use for signature verification
    dynamically using the UNVERFIEID token as a clue.

    You should NOT trust the token information too much. For example,
    DO NOT directly use values from the token as verificatin parameters
    (such as the signature algorithm)

  * `jwt.WithValidator()` has been added to allow users pass in aribtrary
    validation code to the `jwt.Validate()` method.

    It is also now possible to pass in a `context.Context` object to
    `jwt.Validate()` using `jwt.WithContext()` option.
Assets 2
Loading