Move away from unmaintained dgrijalva/jwt-go

[adamchalmers]

Hi all. https://github.com/dgrijalva/jwt-go has had a security issue open for a while now (dgrijalva/jwt-go#428, dgrijalva/jwt-go#422) about the aud field. I and several other devs have reached out to the maintainer about merging a fix PR. However, we haven't gotten a reply. The repo hasn't seen any activity since January and I suspect it's no longer maintained.

My suggestion is to move to a fork from Form3, https://github.com/form3tech-oss/jwt-go/

[adamchalmers]

After speaking with the maintainer we decided to move to https://github.com/square/go-jose instead

[pkieltyka]

thanks @adamchalmers for bringing up the issue. I'd definitely like to migrate to a underlining jwt pkg that is better maintained, especially around security concerns. I took a look at square/go-jose and was starting to integrate it into jwtauth this morning when I realized that it doesn't support custom jwt claims, which is certainly problematic. Looks like neither v2 or v3 of go-jose/jwt support custom claims, but let me know if you see how to do it

[pkieltyka]

https://github.com/lestrrat-go/jwx is another option, and it supports custom claims. For others if you can have a look at jmx, its the likely candidate I will migrate towards

[adamchalmers]

square/go-jose does support custom claims, it's just kinda hidden and not very discoverable. Look at the docs for jwt.Builder

type Builder interface {
    // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
    // into single JSON object. If you are passing private claims, make sure to set
    // struct field tags to specify the name for the JSON key to be used when
    // serializing.
    Claims(i interface{}) Builder
    ...
}

It takes interface{} so you can pass whatever you want into it. I've seen people pass structs or map[string]interface{} as arguments.

[pkieltyka]

oh cool, thanks for pointing that out. Strange interface though

[pkieltyka]

Submit a PR then.. I'm happy to review.

[pkieltyka]

Free OSS is more like a potluck, and less of a restaurant

[pkieltyka]

hey all, just FYI here is PR for using a new underlying jwt library, #52

[pkieltyka]

done in b8af768 and published new v1.1.0 release with go.mod support too, https://github.com/go-chi/jwtauth/releases/tag/v1.1.0

[VojtechVitek]

FYI, I have published a new fork of this repository, https://github.com/golang-cz/jwtauth, which uses community-maintained github.com/golang-jwt/jwt/v4 jwt library instead of github.com/lestrrat-go/jwx.

The github.com/golang-jwt/jwt/v4 repo is an officially recognized successor to the original github.com/dgrijalva/jwt-go package.

It may be of interest to those, who maintain big codebases, and don't have enough time for big refactors :)