When we've upgrade Go to 1.19.1 in v0.44.0, the stdlib code underlying io.jwt.verify_es* (256, 384, 512) and jo.jwt.decode_verify for the same algorithms changed. As a consequence, invalid token signatures could make OPA panic.
Before 0.44.0, they were just invalid. With 0.44.0, they would panic.
See this example (concrete outputs are irrelevant, and I can't share the inputs):
When we've upgrade Go to 1.19.1 in v0.44.0, the stdlib code underlying
io.jwt.verify_es*
(256, 384, 512) andjo.jwt.decode_verify
for the same algorithms changed. As a consequence, invalid token signatures could make OPA panic.Before 0.44.0, they were just invalid. With 0.44.0, they would panic.
See this example (concrete outputs are irrelevant, and I can't share the inputs):
ℹ️ This issue is for visibility. It's been fixed in #5214. We'll now go back to the previous behaviour -- it's just invalid signatures.