Replace Gorilla toolkit with Chi

[sagikazarmark]

Discussed in https://github.com/dexidp/dex/discussions/2933

^{Originally posted by **einhirn** May 10, 2023} Hi all, I stumbled across the fact that dex uses the gorilla web toolkit which is discontinued/archived/unmaintained since end of 2022 - are there any plans to switch to another web toolkit or fork and maintain the gorilla web toolkit? An authentication server using a web toolkit with potential issues that won't get fixed makes me a little queasy, to be honest... Thanks!

[seankhliao]

I had a quick look at how gorilla/mux was used. It looks like only these lines require more advanced routing (along with using gorilla/handlers for CORS), but these are configured to match urls like /auth/http://any.valid.url//login, which isn't a configuration supported by chi:

The special placeholder of asterisk matches the rest of the requested URL. Any trailing characters in the pattern are ignored. This is the only placeholder which will match / characters.

Maybe it's worth it to just drop using an external handler?

r := mux.NewRouter().SkipClean(true).UseEncodedPath()
handleFunc("/auth/{connector}", s.handleConnectorLogin)
handleFunc("/auth/{connector}/login", s.handlePasswordLogin)
handleFunc("/callback/{connector}", s.handleConnectorCallback)

[nabokihms]

If the only point of replacing was the project deprecation, it seems that gorilla project will live a little bit longer https://gorilla.github.io/blog/2023-07-17-project-status-update/

[nabokihms]

The project was unarchived, which means the kit will receive fixes, including security fixes. Are there any other reasons to migrate from Gorilla toolkit?

[sagikazarmark]

Personally, I like Gorilla and I don't see any other reason to switch.