fix(deps): update go-jose to new updated repo due to migration

[andrewpmartinez]

• updated from /square/go-jose to /go-jose/go-jose
• updates to v2.6.3
• addresses CVE-2016-9123 and CVE-2016-9121
• fixes tests that were adjusting for a 1s delay

Definition of Ready

• [x ] I am happy with the code
• [x ] Short description of the feature/issue is added in the pr description
• [ n/a] PR is linked to the corresponding user story
• [ n/a] Acceptance criteria are met
• [ n/a] All open todos and follow ups are defined in a new ticket and justified
• [ n/a] Deviations from the acceptance criteria and design are agreed with the PO and documented.
• [ x] No debug or dead code
• [ x] My code has no repetitions
• [ n/a] Critical parts are tested automatically
• [ n/a] Where possible E2E tests are implemented
• [ n/a] Documentation/examples are up-to-date
• [ n/a] All non-functional requirements are met
• [ n/a] Functionality of the acceptance criteria is checked manually on the dev system.

[fforootd]

Relates to https://discord.com/channels/927474939156643850/927866013545025566/1269022628191010929

[eliobischof]

@muhlemmer I see you changed square/go-jose to go-jose/go-jose in v3. Do you see any red flags if we change it also for v2?

Is it possible that the tests fails because uf the change to go-jose?

[muhlemmer]

@eliobischof I initially thought the same. But checking the error logs:

Error Trace:    /home/runner/work/oidc/oidc/pkg/op/op_test.go:391
2024-08-02T20:50:10.0979418Z            Error:          "{\"access_token\":\"7YRjDyaWUAY4Iiqnlp3HhDPJTax840IQ1MKcHHvCLjNhNKBEdTBKt2bJf4sMZWAHsGwNy0UAtoU\",\"issued_token_type\":\"urn:ietf:params:oauth:token-type:refresh_token\",\"token_type\":\"Bearer\",\"expires_in\":299,\"scope\":\"openid offline_access\",\"refresh_token\":\"9b6a1d27-e969-4ead-b4b8-c579b9db2c73\"}\n" does not contain "\",\"issued_token_type\":\"urn:ietf:params:oauth:token-type:refresh_token\",\"token_type\":\"Bearer\",\"expires_in\":300,\"scope\":\"openid offline_access\",\"refresh_token\":\""`

We do a very naive Contains check here on the JSON string. It seems the failed because in the op_test.go file @andrewpmartinez changed the expected expires_in from 299 to 300. IMO this change needs to be reverted.

As we round expires_in to seconds, it might be that rounding flips the second to either position, depending on how fast the tests run. It might be that on the local system of @andrewpmartinezc 300 is the correct value, but for me locally and in the pipeline 299 always worked. This might be improved, but as the test is a regression test on all routes, there is not one specific type we can unmarshal into and do more advanced assertions.

[muhlemmer]

@andrewpmartinez did you notice my review? Do you wish to proceed with this PR?

[andrewpmartinez]

@andrewpmartinez did you notice my review? Do you wish to proceed with this PR?

Yes, I did. I have been working on other tasks, but this is still relevant to me. I will try to address it this week.

[andrewpmartinez]

Done. Also, it was rebased to the top of 2.12.x for merge conflicts.

Running the tests locally do infact fail for me w/ rounding errors of 299 vs 300. I can't tell if the tests will pass in the CI pipeline till they run remotely. Fingers crossed.

[github-actions[bot]]

:tada: This PR is included in version 2.12.2 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: