Use golang-jwt/jwt instead of dgrijalva/jwt-go
#424
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@Gundersanne please review. |
jhernand
changed the title
dgrijalva/jwt instead of golang-jwt/jwt.golang-jwt/jwt instead of dgrijalva/jwt-go
The `dgrijalva/jwt-go` library is no longer maintained and `golang-jwt/jwt` is a community maintained fork. See dgrijalva/jwt-go#462 for detailts. Parts of the public interface of the SDK use this library, so this is a backwards compatibility breaking change. Projects using the SDK will need to switch to the new library, specially if they are using the `context.ContextWithToken` or `context.TokenFromContext` functions. The change should only require changing the import paths, as the fork is fully compatible with the original library. A simple way to do the required changes is the following command: ``` $ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|' ``` This also addresses CVE-2020-26160, but that vulnerability doesn't currently affect the SDK because the authentication handler doesn't use the `aud` claim. Related: openshift-online#421 Related: dgrijalva/jwt-go#462 Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160 Signed-off-by: Juan Hernandez <juan.hernandez@redhat.com>
croissanne
approved these changes
Aug 10, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
dgrijalva/jwt-golibrary is no longer maintained andgolang-jwt/jwtis acommunity maintained fork. See dgrijalva/jwt-go#462
for detailts.
Parts of the public interface of the SDK use this library, so this is a
backwards compatibility breaking change. Projects using the SDK will need to
switch to the new library, specially if they are using the
context.ContextWithTokenorcontext.TokenFromContextfunctions. The changeshould only require changing the import paths, as the fork is fully compatible
with the original library.
A simple way to do the required changes is the following command:
This also addresses CVE-2020-26160, but that vulnerability doesn't
currently affect the SDK because the authentication handler doesn't use
the
audclaim.Related: #421
Related: dgrijalva/jwt-go#462
Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160