github.com/square/go-jose is deprecated

[mitar]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We really do not have luck with JWT libraries, https://github.com/square/go-jose is deprecated. They moved development to https://github.com/go-jose/go-jose, but that one looks abandoned as well. :-(

Describe your ideal solution

Figure out why JWT libraries are not supported anymore. What is Square using?

Workarounds or alternatives

Maintain our own JWT library?

Version

latest main branch

Additional Context

Maybe the great Ory bot could detect when a dependency get its repository archived and open an issue about deprecation automatically?

[mitar]

Some background: square/go-jose#342

Possible alternative: https://github.com/lestrrat-go/jwx

[james-d-elliott]

I have been looking at this and the libraries usage of the jose library. From what I can tell there are two primary areas this is utilized:

• JWK Sets which could relatively be hard forked (even partially) from another library as mostly from what I can tell this is used as a communication method of items used for the other usage
• JWT signing / parsing / validation which could be replaced by several libraries including https://github.com/golang-jwt/jwt and https://github.com/golang-jwt/jwe most likely which just take a signing method struct they supply, and the *rsa/ecdsa.PrivateKey effectively for signing (or hmac bytes).

[alnr]

Fixed in #752