2022-06-09 18:53:45 +00:00
|
|
|
Changes
|
|
|
|
=======
|
|
|
|
|
|
|
|
v2 has many incompatibilities with v1. To see the full list of differences between
|
|
|
|
v1 and v2, please read the Changes-v2.md file (https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes-v2.md)
|
|
|
|
|
2023-01-16 01:55:01 +00:00
|
|
|
v2.0.8 - 25 Nov 2022
|
|
|
|
[Security Fixes]
|
|
|
|
* [jws][jwe] Starting from go 1.19, code related to elliptic algorithms
|
|
|
|
panics (instead of returning an error) when certain methods
|
|
|
|
such as `ScalarMult` are called using points that are not on the
|
|
|
|
elliptic curve being used.
|
|
|
|
|
|
|
|
Using inputs that cause this condition, and you accept unverified JWK
|
|
|
|
from the outside it may be possible for a third-party to cause panics
|
|
|
|
in your program.
|
|
|
|
|
|
|
|
This has been fixed by verifying that the point being used is actually
|
|
|
|
on the curve before such computations (#840)
|
|
|
|
[Miscellaneous]
|
|
|
|
* `jwx.GuessFormat` now returns `jwx.InvalidFormat` when the heuristics
|
|
|
|
is sure that the buffer format is invalid.
|
|
|
|
|
|
|
|
v2.0.7 - 15 Nov 2022
|
|
|
|
[New features]
|
|
|
|
* [jwt] Each `jwt.Token` now has an `Options()` method
|
|
|
|
* [jwt] `jwt.Settings(jwt.WithFlattenedAudience(true))` has a slightly
|
|
|
|
different semantic than before. Instead of changing a global variable,
|
|
|
|
it now specifies that the default value of each per-token option for
|
|
|
|
`jwt.FlattenAudience` is true.
|
|
|
|
|
|
|
|
Therefore, this is what happens:
|
|
|
|
|
|
|
|
// No global settings
|
|
|
|
tok := jwt.New()
|
|
|
|
tok.Options.IsEnabled(jwt.FlattenAudience) // false
|
|
|
|
|
|
|
|
// With global settings
|
|
|
|
jwt.Settings(jwt.WithFlattenedAudience(true))
|
|
|
|
tok := jwt.New()
|
|
|
|
tok.Options.IsEnabled(jwt.FlattenAudience) // true
|
|
|
|
// But you can still turn FlattenAudience off for this
|
|
|
|
// token alone
|
|
|
|
tok.Options.Disable(jwt.FlattenAudience)
|
|
|
|
|
|
|
|
Note that while unlikely to happen for users relying on the old behavior,
|
|
|
|
this change DOES introduce timing issues: whereas old versions switched the
|
|
|
|
JSON marshaling for ALL tokens immediately after calling `jwt.Settings`,
|
|
|
|
the new behavior does NOT affect tokens that have been created before the
|
|
|
|
call to `jwt.Settings` (but marshaled afterwards).
|
|
|
|
|
|
|
|
So the following may happen:
|
|
|
|
|
|
|
|
// < v2.0.7
|
|
|
|
tok := jwt.New()
|
|
|
|
jwt.Settings(jwt.WithFlattenedAudience(true))
|
|
|
|
json.Marshal(tok) // flatten = on
|
|
|
|
|
|
|
|
// >= v2.0.7
|
|
|
|
tok := jwt.New() // flatten = off
|
|
|
|
jwt.Settings(jwt.WithFlattenedAudience(true))
|
|
|
|
json.Marshal(tok) // flatten is still off
|
|
|
|
|
|
|
|
It is recommended that you only set the global setting once at the
|
|
|
|
very beginning of your program to avoid problems.
|
|
|
|
|
|
|
|
Also note that `Clone()` copies the settings as well.
|
|
|
|
|
|
|
|
[Miscellaneous]
|
|
|
|
* WithCompact's stringification should have been that of the
|
|
|
|
internal indentity struct ("WithSerialization"), but it was
|
|
|
|
wrongly producing "WithCompact". This has been fixed.
|
|
|
|
* Go Workspaces have been enabled within this module.
|
|
|
|
- When developing, modules will refer to the main jwx module that they
|
|
|
|
are part of. This allows us to explicitly specify the dependency version
|
|
|
|
in, for example, ./cmd/jwx/go.mod but still develop against the local version.
|
|
|
|
- If you are using `goimports` and other tools, you might want to upgrade
|
|
|
|
binaries -- for example, when using vim-go's auto-format-on-save feature,
|
|
|
|
my old binaries took well over 5~10 seconds to compute the import paths.
|
|
|
|
This was fixed when I switched to using go1.19, and upgraded the binaries
|
|
|
|
used by vim-go
|
|
|
|
|
|
|
|
v2.0.6 - 25 Aug 2022
|
|
|
|
[Bug fixes][Security]
|
|
|
|
* [jwe] Agreement Party UInfo and VInfo (apv/apu) were not properly being
|
|
|
|
passed to the functions to compute the aad when encrypting using ECDH-ES
|
|
|
|
family of algorithms. Therefore, when using apu/apv, messages encrypted
|
|
|
|
via this module would have failed to be properly decrypted.
|
|
|
|
|
|
|
|
Please note that bogus encrypted messages would not have succeed being
|
|
|
|
decrypted (i.e. this problem does not allow spoofed messages to be decrypted).
|
|
|
|
Therefore this would not have caused unwanted data to to creep in --
|
|
|
|
however it did pose problems for data to be sent and decrypted from this module
|
|
|
|
when using ECDH-ES with apu/apv.
|
|
|
|
|
|
|
|
While not extensively tested, we believe this regression was introduced
|
|
|
|
with the v2 release.
|
|
|
|
|
|
|
|
v2.0.5 - 11 Aug 2022
|
|
|
|
[Bug fixes]
|
|
|
|
* [jwt] Remove stray debug log
|
|
|
|
* [jwk] Fix x5u field name, caused by a typo
|
|
|
|
* [misc] Update golangci-lint action to v3; v2 was causing weird problems
|
|
|
|
|
2022-07-28 20:31:28 +00:00
|
|
|
v2.0.4 - 19 Jul 2022
|
|
|
|
[Bug Fixes]
|
|
|
|
* [jwk] github.com/lestrrat-go/httprc, which jwk.Cache depends on,
|
|
|
|
had a problem with inserting URLs to be re-fetched into its queue.
|
|
|
|
As a result it could have been the case that some JWKS were not
|
|
|
|
updated properly. Please upgrade if you use jwk.Cache.
|
|
|
|
|
|
|
|
* [jwk] cert.Get could fail with an out of bounds index look up
|
|
|
|
|
|
|
|
* [jwk] Fix doc buglet in `KeyType()` method
|
|
|
|
|
|
|
|
[New Features]
|
|
|
|
* [jws] Add `jws.WithMultipleKeysPerKeyID()` sub-option to allow non-unique
|
|
|
|
key IDs in a given JWK set. By default we assume that a key ID is unique
|
|
|
|
within a key set, but enabling this option allows you to handle JWK sets
|
|
|
|
that contain multiple keys that contain the same key ID.
|
|
|
|
|
|
|
|
* [jwt] Before v2.0.1, sub-second accuracy for time based fields
|
|
|
|
(i.e. `iat`, `exp`, `nbf`) were not respected. Because of this the code
|
|
|
|
to evaluate this code had always truncated any-subsecond portion
|
|
|
|
of these fields, and therefore no sub-second comparisons worked.
|
|
|
|
A new option for validation `jwt.WithTruncation()` has been added
|
|
|
|
to workaround this. This option controls the value used to truncate
|
|
|
|
the time fields. When set to 0, sub-second comparison would be
|
|
|
|
possible.
|
|
|
|
FIY, truncatation will still happen because we do not want to
|
|
|
|
use the monotonic clocks when making comparisons. It's just that
|
|
|
|
truncating using `0` as its argument effectively only strips out
|
|
|
|
the monotonic clock
|
|
|
|
|
2022-06-22 14:31:24 +00:00
|
|
|
v2.0.3 - 13 Jun 2022
|
|
|
|
[Bug Fixes]
|
|
|
|
* [jwk] Update dependency on github.com/lestrrat-go/httprc to v1.0.2 to
|
|
|
|
avoid unintended blocking in the update goroutine for jwk.Cache
|
|
|
|
|
2022-06-09 18:53:45 +00:00
|
|
|
v2.0.2 - 23 May 2022
|
|
|
|
[Bug Fixes][Security]
|
|
|
|
* [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
|
|
|
|
where the unpad operation might remove more bytes than necessary (#744)
|
|
|
|
This affects all jwx code that is available before v2.0.2 and v1.2.25.
|
|
|
|
|
|
|
|
[New Features]
|
|
|
|
* [jwt] RFC3339 timestamps are also accepted for Numeric Date types in JWT tokens.
|
|
|
|
This allows users to parse servers that errnously use RFC3339 timestamps in
|
|
|
|
some pre-defined fields. You can change this behavior by setting
|
|
|
|
`jwt.WithNumericDateParsePedantic` to `false`
|
|
|
|
* [jwt] `jwt.WithNumericDateParsePedantic` has been added. This is a global
|
|
|
|
option that is set using `jwt.Settings`
|
|
|
|
|
|
|
|
v2.0.1 - 06 May 2022
|
|
|
|
* [jwk] `jwk.Set` had erronously been documented as not returning an error
|
|
|
|
when the same key already exists in the set. This is a behavior change
|
|
|
|
since v2, and it was missing in the docs (#730)
|
|
|
|
* [jwt] `jwt.ErrMissingRequiredClaim` has been deprecated. Please use
|
|
|
|
`jwt.ErrRequiredClaim` instead.
|
|
|
|
* [jwt] `jwt.WithNumericDateParsePrecision` and `jwt.WithNumericDateFormatPrecision`
|
|
|
|
have been added to parse and format fractional seconds. These options can be
|
|
|
|
passed to `jwt.Settings`.
|
|
|
|
The default precision is set to 0, and fractional portions are not parsed nor
|
|
|
|
formatted. The precision may be set up to 9.
|
|
|
|
* `golang.org/x/crypto` has been upgraded (#724)
|
|
|
|
* `io/ioutil` has been removed from the source code.
|
|
|
|
|
|
|
|
v2.0.0 - 24 Apr 2022
|
|
|
|
* This i the first v2 release, which represents a set of design changes
|
|
|
|
that were learnt over the previous 2 years. As a result the v2 API
|
|
|
|
should be much more consistent and uniform across packages, and
|
|
|
|
should be much more flexible to accomodate real-world needs.
|
|
|
|
|
|
|
|
For a complete list of changes, please see the Changes-v2.md file,
|
|
|
|
or check the diff at https://github.com/lestrrat-go/jwx/compare/v1...v2
|
|
|
|
|
|
|
|
[Miscellaneous]
|
|
|
|
* Minor house cleaning on code generation tools
|
|
|
|
|
|
|
|
[jwt]
|
|
|
|
* `jwt.ErrMissingRequiredClaim()` has been added
|
|
|
|
|
|
|
|
v2.0.0-beta2 - 16 Apr 2022
|
|
|
|
[jwk]
|
|
|
|
* Updated `jwk.Set` API and reflected pending changes from v1 which were
|
|
|
|
left over. Please see Changes-v2.md file for details.
|
|
|
|
|
|
|
|
* Added `jwk.CachedSet`, a shim over `jwk.Cache` that allows you to
|
|
|
|
have to write wrappers around `jwk.Cache` that retrieves a particular
|
|
|
|
`jwk.Set` out of it. You can use it to, for example, pass `jwk.CachedSet`
|
|
|
|
to a `jws.Verify`
|
|
|
|
|
|
|
|
cache := jwk.NewCache(ctx)
|
|
|
|
cache.Register(ctx, jwksURL)
|
|
|
|
cachedSet := jwk.NewCachedSet(cache, jwksURL)
|
|
|
|
jws.Verify(signed, jws.WithKeySet(cachedSet))
|
|
|
|
|
|
|
|
v2.0.0-beta1 - 09 Apr 2022
|
|
|
|
[Miscellaneous]
|
|
|
|
* Renamed Changes.v2 to Changes-v2.md
|
|
|
|
* Housecleaning for lint action.
|
|
|
|
* While v2 was not affected, ported over equivalent test for #681 to catch
|
|
|
|
regressions in the future.
|
|
|
|
* Please note that there is no stability guarantees on pre-releases.
|
|
|
|
|
|
|
|
v2.0.0-alpha1 - 04 Apr 2022
|
|
|
|
* Initial pre-release of v2 line. Please note that there is no stability guarantees
|
|
|
|
on pre-releases.
|