search

coreos / go-oidc

A Go OpenID Connect client.
Apache License 2.0
1.99k stars 400 forks source link

Build broken since go-oidc/v3 v3.10.0 which upgraded to go-jose/v4 "undefined: max" #435

Closed timmalich closed 3 months ago

timmalich commented 3 months ago

We are using github.com/coreos/go-oidc/v3 v3.11.0 which adds an indirect dependency to go-jose/v4.0.4

Since we upgraded from go-oidc/v3 v3.9.0 our build is broken with the following error:

36.26 # github.com/go-jose/go-jose/v4
36.26 /go/pkg/mod/github.com/go-jose/go-jose/v4@v4.0.4/encoding.go:109:23: undefined: max
36.26 note: module requires Go 1.21

We are compiling with go 1.23

Are we doing something stupid or is this really an issue since at least jose v4.0.2 or go-oidc v3.10.0?

I also created the same issue in the jose repo: https://github.com/go-jose/go-jose/issues/145

mcpherrinm commented 3 months ago

max was added to Go in 1.21. https://tip.golang.org/ref/spec#Min_and_max

Are you sure you’re compiling with 1.23? The output error suggests you are using an older version.

ericchiang commented 3 months ago

Sorry, this appears to work fine for me, even when explicitly requiring JOSE v4.0.4

$ cat build.sh 
#!/bin/bash -e

go version

temp_dir="$( mktemp -d )"
cd "${temp_dir}"
go mod init testmod
echo 'package main
import "github.com/coreos/go-oidc/v3/oidc"
var _ oidc.Provider
func main() {}
' > main.go
go get github.com/coreos/go-oidc/v3/oidc@v3.10.0
go get github.com/go-jose/go-jose/v4@v4.0.4

go build
cat go.mod
rm -r "${temp_dir}"
$ $ ./build.sh 
go version go1.23.0 linux/amd64
go: creating new go.mod: module testmod
go: added github.com/coreos/go-oidc/v3 v3.10.0
go: added github.com/go-jose/go-jose/v4 v4.0.1
go: added github.com/golang/protobuf v1.5.3
go: added golang.org/x/crypto v0.19.0
go: added golang.org/x/oauth2 v0.13.0
go: added google.golang.org/appengine v1.6.8
go: added google.golang.org/protobuf v1.31.0
go: upgraded github.com/go-jose/go-jose/v4 v4.0.1 => v4.0.4
go: upgraded golang.org/x/crypto v0.19.0 => v0.25.0
module testmod

go 1.23.0

require (
    github.com/coreos/go-oidc/v3 v3.10.0 // indirect
    github.com/go-jose/go-jose/v4 v4.0.4 // indirect
    github.com/golang/protobuf v1.5.3 // indirect
    golang.org/x/crypto v0.25.0 // indirect
    golang.org/x/oauth2 v0.13.0 // indirect
    google.golang.org/appengine v1.6.8 // indirect
    google.golang.org/protobuf v1.31.0 // indirect
)
$ echo $?
0

Can you provide a standalone reproducer?

timmalich commented 3 months ago

Thank you both for the quick response. Yes I am pretty sure I am building with something >= 1.21. 

go version
go version go1.23.0 linux/amd64

To be fair: my go.mod contains the go 1.21 directive. As far as I understood, 1.21 should still be fine.

I'll try to create a producer as soon as possible.

timmalich commented 3 months ago

TL;DR Sorry to have wasted your time. As you have guessed, the issue appeared because of an older go version.

Someone changed the default way to build the project. This switch changed the build to use the old docker image "go buster" and not the local go installation. Since this image was already on my device I didn't see the normal pull output - or anything else indicating it's not using the local installation.