Move away from unmaintained dgrijalva/jwt-go - Githubissues

go-chi / jwtauth

JWT authentication middleware for Go HTTP services

MIT License

541 stars 91 forks source link

Move away from unmaintained dgrijalva/jwt-go #50

Closed adamchalmers closed 3 years ago

adamchalmers commented 3 years ago

Hi all. https://github.com/dgrijalva/jwt-go has had a security issue open for a while now (https://github.com/dgrijalva/jwt-go/issues/428, https://github.com/dgrijalva/jwt-go/issues/422) about the aud field. I and several other devs have reached out to the maintainer about merging a fix PR. However, we haven't gotten a reply. The repo hasn't seen any activity since January and I suspect it's no longer maintained.

My suggestion is to move to a fork from Form3, https://github.com/form3tech-oss/jwt-go/

adamchalmers commented 3 years ago

After speaking with the maintainer we decided to move to https://github.com/square/go-jose instead

pkieltyka commented 3 years ago

thanks @adamchalmers for bringing up the issue. I'd definitely like to migrate to a underlining jwt pkg that is better maintained, especially around security concerns. I took a look at square/go-jose and was starting to integrate it into jwtauth this morning when I realized that it doesn't support custom jwt claims, which is certainly problematic. Looks like neither v2 or v3 of go-jose/jwt support custom claims, but let me know if you see how to do it

pkieltyka commented 3 years ago

https://github.com/lestrrat-go/jwx is another option, and it supports custom claims. For others if you can have a look at jmx, its the likely candidate I will migrate towards

adamchalmers commented 3 years ago

square/go-jose does support custom claims, it's just kinda hidden and not very discoverable. Look at the docs for jwt.Builder

type Builder interface {
    // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
    // into single JSON object. If you are passing private claims, make sure to set
    // struct field tags to specify the name for the JSON key to be used when
    // serializing.
    Claims(i interface{}) Builder
    ...
}

It takes interface{} so you can pass whatever you want into it. I've seen people pass structs or map[string]interface{} as arguments.

pkieltyka commented 3 years ago

oh cool, thanks for pointing that out. Strange interface though

pkieltyka commented 3 years ago

Submit a PR then.. I'm happy to review.

pkieltyka commented 3 years ago

Free OSS is more like a potluck, and less of a restaurant

pkieltyka commented 3 years ago

hey all, just FYI here is PR for using a new underlying jwt library, https://github.com/go-chi/jwtauth/pull/52

pkieltyka commented 3 years ago

done in https://github.com/go-chi/jwtauth/commit/b8af7682724b6332af29e5d814f2f040817b1eb1 and published new v1.1.0 release with go.mod support too, https://github.com/go-chi/jwtauth/releases/tag/v1.1.0

VojtechVitek commented 3 years ago

FYI, I have published a new fork of this repository, https://github.com/golang-cz/jwtauth, which uses community-maintained github.com/golang-jwt/jwt/v4 jwt library instead of github.com/lestrrat-go/jwx.

The github.com/golang-jwt/jwt/v4 repo is an officially recognized successor to the original github.com/dgrijalva/jwt-go package.

It may be of interest to those, who maintain big codebases, and don't have enough time for big refactors :)