Closed Waterdrips closed 3 years ago
@dgrijalva can we get this merged? This is a vital security patch IMHO.
Due to https://github.com/golang/go/issues/33908 it is not possible to perform go get on a PR so its either:
MapClaims
from this package into your project and use it instead of jwtgo.MapClaims
(and changing if vErr.valid()
to if vErr.Errors == 0
to make it work)For those following this PR please look at https://github.com/dgrijalva/jwt-go/issues/428 where we are trying to get things back to a maintained state
This has already been done in https://github.com/dgrijalva/jwt-go/pull/286 I think.
applied the same patch as https://github.com/golang-jwt/jwt/pull/12 as per https://github.com/dgrijalva/jwt-go/issues/462#issuecomment-877353751
Hello there, do we know when/if this will be released. Thanks for the fix !
Hello there, do we know when/if this will be released. Thanks for the fix !
Please see repo golang-jwt/jwt where this project continues
Aud validation on the JWT was being bypassed if a list of claims was presented to the server. This commit checks if the aud claim is a list of strings, if not it checks if its a single string, if not it will return invalid
This fixes #422 #428
Signed-off-by: Alistair Hey alistair.hey@form3.tech