Closed pyrooka closed 3 years ago
@pyrooka Thank you for being proactive about this dependency. One slight complication is that it looks like this new jwt package "officially" supports only Go versions 1.15 and 1.16. This caused me to do a little more digging and it looks like we really only call jwt.DecodeSegment()
, which has a pretty simple definition:
// Decode JWT specific base64url encoding with padding stripped
func DecodeSegment(seg string) ([]byte, error) {
if l := len(seg) % 4; l > 0 {
seg += strings.Repeat("=", 4-l)
}
return base64.URLEncoding.DecodeString(seg)
}
With this in mind, I think I would prefer that we simply implement our own decodeSegment()
function in jwt_utils.go and then remove the dependency on the jwt package altogether.
What do you think?
Good idea! I will make that change in a separate PR and close this as soon as that will be merged in. (I think merging this PR is unnecessary.)
Closing this in favor of #122
Not so long ago, we replaced (18d04ad2f6e4fa32386898c39a4580eb4bca7910) the dgrijalva/jwt-go package, because it was not maintained and there were a few unpatched security vulnerabilities in the code. An official community fork has been created golang-jwt/jwt and also the readme in the original repo (marked as archive) recommends to use that.