change: upgrade JWT lib and add test cases for token validation

Author: larox11

auth/auth.go

@@ -12,7 +12,7 @@ import (
 	"strings"
 
 	"github.com/Nerzal/gocloak/v12"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // KeycloakAuthorizer is used to validate if JWT has a correct signature and is valid and returns keycloak claims

auth/example_test.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/Nerzal/gocloak/v12"
 	"github.com/gin-gonic/gin"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/jarcoal/httpmock"
 	"github.com/samber/lo"
 

auth/jwt_test.go

@@ -16,7 +16,7 @@ import (
 	"testing"
 
 	"github.com/Nerzal/gocloak/v12"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/jarcoal/httpmock"
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/require"

client/keycloakJWTReceiverCachedInMemory.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 
 	"github.com/Nerzal/gocloak/v12"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/rs/zerolog/log"
 )
 
@@ -37,7 +37,10 @@ func isTokenValid(token *gocloak.JWT) bool {
 		return false
 	}
 
-	err = claims.Valid()
+	err = jwt.NewValidator(
+		jwt.WithIssuedAt(),
+		jwt.WithExpirationRequired(),
+	).Validate(claims)
 	if err != nil {
 		log.Debug().Msgf("JWT access token is invalid: %v", err)
 		return false

client/keycloakJWTReceiverCachedInMemory_test.go

@@ -47,7 +47,35 @@ func TestKeycloakJWTReceiverCachedInMemory_GetClientToken(t *testing.T) {
 		{
 			name: "Expired cached token",
 			cachedToken: &gocloak.JWT{
-				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzEwMjJ9.hsfQPY3ZVrVIV-bzI54NRoTDG6wWzORVp68lxGa3D08", // todo add actual expired token -> create one on jwt.io
+				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyMzEwMjJ9.hsfQPY3ZVrVIV-bzI54NRoTDG6wWzORVp68lxGa3D08",
+			},
+			mockToken: &gocloak.JWT{
+				AccessToken: "test_token",
+			},
+			expectedToken: &gocloak.JWT{
+				AccessToken: "test_token",
+			},
+			expectedError:    nil,
+			shouldFetchToken: true,
+		},
+		{
+			name: "NotBefore date is in the future",
+			cachedToken: &gocloak.JWT{
+				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwibmJmIjo0ODczMjQyNTg3LCJleHAiOjQ4NzQyNDI1ODd9.QZeQwoWl-HRbCcuZbt_3DFnA_h-zD5DhPmcBR0TyrQw",
+			},
+			mockToken: &gocloak.JWT{
+				AccessToken: "test_token",
+			},
+			expectedToken: &gocloak.JWT{
+				AccessToken: "test_token",
+			},
+			expectedError:    nil,
+			shouldFetchToken: true,
+		},
+		{
+			name: "IssuedAt date is in the future",
+			cachedToken: &gocloak.JWT{
+				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0Ijo0ODczMjQyNTg3LCJleHAiOjQ4NzQyNDI1ODd9.h63qP0fMQGgx5S8eV-EHEO1zgSlBmjX3xR80iXnvhX0",
 			},
 			mockToken: &gocloak.JWT{
 				AccessToken: "test_token",
@@ -61,13 +89,13 @@ func TestKeycloakJWTReceiverCachedInMemory_GetClientToken(t *testing.T) {
 		{
 			name: "Valid cached token",
 			cachedToken: &gocloak.JWT{
-				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjQ4NzMyNDI1ODd9.BHuBKDS9MUC01jmo_p4AcVChkbV0aiDZBXcU-hpj8mg",
 			},
 			mockToken: &gocloak.JWT{
 				AccessToken: "test_token",
 			},
 			expectedToken: &gocloak.JWT{
-				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+				AccessToken: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjQ4NzMyNDI1ODd9.BHuBKDS9MUC01jmo_p4AcVChkbV0aiDZBXcU-hpj8mg",
 			},
 			expectedError:    nil,
 			shouldFetchToken: false,

go.mod

@@ -1,11 +1,11 @@
 module github.com/greenbone/keycloak-client-golang
 
-go 1.21
+go 1.22
 
 require (
 	github.com/Nerzal/gocloak/v12 v12.0.0
 	github.com/gin-gonic/gin v1.10.0
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/jarcoal/httpmock v1.3.1
 	github.com/rs/zerolog v1.33.0
 	github.com/samber/lo v1.39.0
@@ -25,6 +25,7 @@ require (
 	github.com/go-playground/validator/v10 v10.21.0 // indirect
 	github.com/go-resty/resty/v2 v2.13.1 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect

go.sum

@@ -31,8 +31,10 @@ github.com/go-resty/resty/v2 v2.13.1/go.mod h1:GznXlLxkq6Nh4sU59rPmUw3VtgpO3aS96
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
 github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=