search

dgrijalva / jwt-go

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
https://github.com/golang-jwt/jwt
MIT License
10.78k stars 997 forks source link

Is this project still maintained? #457

Closed cep21 closed 3 years ago

cep21 commented 3 years ago

Hi,

Thank you so much for this project. It's very helpful. I'm just wondering if there is still time to maintain this code. I noticed that https://github.com/auth0/go-jwt-middleware uses a fork due to "jwt-go not being actively maintained" and noticed a few tickets in https://github.com/dgrijalva/jwt-go/issues that mention security issues. An update on project status, or maybe finding someone willing to take over (maybe from the fork auth-0 uses?) would be useful.

Thanks!

ripienaar commented 3 years ago

It’s not maintained. There was some discussion earlier to make a org that maintains a fork maintained by multiple maintainers but it fizzled out, think people would rather score point by maintaining forks under their own banners alas.

cep21 commented 3 years ago

I did some due diligence, and https://github.com/lestrrat-go/jwx seems like the current best JWT open source Golang library along the dimensions of

TimothyGu commented 3 years ago

There is also https://pkg.go.dev/gopkg.in/square/go-jose.v2, which is also actively maintained and backed by a well-known company (@square).

vibridi commented 3 years ago

https://github.com/lestrrat-go/jwx seems a decent alternative but it exposes the Token as an interface, which is a significant difference from what this package did. Migrating old code comes with some overhead. @ripienaar I might be interested in contributing without the need to "score points" with yet another fork.

ripienaar commented 3 years ago

@vibridi see discussion here https://github.com/dgrijalva/jwt-go/issues/428 maybe try to ressurect that, if there's enough interest I can take another look at doing it.

vibridi commented 3 years ago

@ripienaar I read that discussion, the last point made by @lggomez makes critical sense:

because this one may be already audited and being used at companies following PCI DSS standards (just to name an example) and I'm not certain forks are freely allowed without a full re-audit

so if this is indeed a concern, the only solution is that @dgrijalva opens up this repo

Otherwise interested folks fork it and Dave still has to give his blessing with a readme update to point to the new "official" repo. Dave's involvement is still sort of necessary because 1. there are already 800+ forks and who knows in what state all those are, and 2. today if you google golang jwt library the very first result is this repo, then some other repo with 200 stars and then an article from auth0 that mentions this repo. I would like to laugh but I just don't have it in me at this time.

About there being enough interest, I bet there is. The other two major alternatives are the Square lib, which is probably unmaintained itself, and lestrrat-go/jwx, which honestly has a weird API... I mean... the token is an interface and to set the standard claims you must call token.Set which returns an error...?

The only solution I see is a community effort, whose first accomplishment is to have @dgrijalva bequeath his code to them.

ripienaar commented 3 years ago

@vibridi anyone who is in such an environment are now well and truely screwed - because they are running vulnerable packages with no recourse as its unmaintained.

We'd be doing them a favour to trigger a re-audit imo.

We won't get a respose from @dgrijalva as you can see, he's completely radio silent on this project. Given that level of care moving to a new org is the right - if painful - thing to do.

lggomez commented 3 years ago

It sucks to be on this stage because we are at a moment with 2 complications at hand:

In the past npm has dealt with similar issues by granting ownership to a new maintainer (or in this case a new organization should be needed with enough trusted new third party maintainers and preserving the original owner for the sake of honoring the repo's license). I don't know how github can intercede on cases like this, where intervention is clearly needed

ripienaar commented 3 years ago

GitHub cannot intercede it would be a massive trust issue if they got involved in something so inconsequential as a repo like this - or in fact any repo. I'd leave github immediately if they did something like hand over a repo to someone else without owner consent

This is not a new or unique problem, the only thing to do is make something new based on a fork - and learn from the mistakes ie. make a org and make sure enough interested parties are involved.

Waterdrips commented 3 years ago

@ripienaar Id be open to working on this in an org if there's some other interested parties.

I made the form3tech-oss fork to unblock us internally until some consensus was made in the community, never meant for it to be permanent :laughing:

The other approach is to "do nothing" and leave it up to people to adopt another lib. Both cases require a user to make changes to get a fix, so is it worth the commitment on maintaining yet another lib as there have been some suggestions in some of these threads as to alternatives.

lestrrat commented 3 years ago

@vibridi https://github.com/dgrijalva/jwt-go/issues/457#issuecomment-804975945

Just out of curiosity, what sort of API would it require to sway you into using my jwx package? If it's doable by providing an translation/compatibility layer, I might be game to implementing it

//  (pseudo go-code)
import (
   "github.com/lestrrat-go/jwx/jwt"
   "github.com/lestrrat-go/jwx/jwt/dgrijalva"
 )

 lestrratJWT := jwt.Parse(...)
// I dunno, just guessing that this might work
compatJWT := dgrijalva.From(lestrratJWT)
// do stuff with JWT....
anotherLestrratJWT := dgrijalva.To(compatJWT)
vibridi commented 3 years ago

@lestrrat Hi! At first I was put off by the fact the the token is an interface and calls to tok.Set() return an error, which is a decrease in usability from this repo's plain struct jwt.StandardClaims. Then I told myself to put bias aside and took a good look at your overall project. After writing some real code with it, everything nicely falls into place. I did end up adopting it at my organization. I won't lie, migrating from dgrijalva/jwt-go took me 2-3 hours more than I liked, but I'm happy with my choice.

Frankly your design makes a lot of sense. I just had to give myself some time to get used to it. Thanks for stopping by 👍

lestrrat commented 3 years ago

Thanks, that's good to know!

Just for reference to others, there are actual reasons for jwt.Token being an interface. It was really long, so I turned it into a FAQ in my README.

dgrijalva commented 3 years ago

It's pretty clear I haven't had time to maintain this library anymore. I'm open to migrating to new maintainer(s). See #462