Sign JSON Web Token (JWT)

[manute]

#769

[manute]

WIP

First Implementation to see if the approach I took is the correct one.
Also I would like to test it but I could not see other tests for similar cases like OAuth/2, so I was not sure how to test it.
Any feedback is really appreciated 👍

[Jeffail]

Hey @manute, a couple of comments but this looks fine to me.

[manute]

@Jeffail I think I've addressed all the feedback, thanks

[Jeffail]

Thanks @manute, this looks great. The pipeline will fail as the docs need generating with make docs, but as long as the unit tests pass I'll merge and do that myself.

[mihaitodor]

@manute @Jeffail I know this was merged, but I had a look at dgrijalva/jwt-go library and it looks like they have a preview release for a CVE as described here. Not sure if it's an issue for this use case. From the comments, it looks like form3 adopted a fork of it and made a bunch of security fixes. Then again, it seems this will be the new home for this library based on this conversation, but they just started moving it there.

[manute]

@mihaitodor thanks for the heads up. I believe this should be addressed in other PR, and when the official new home for this lib has added that sec issue. Because base on its README :

NEW VERSION COMING: There have been a lot of improvements suggested since the version 3.0.0 released in 2016. I'm working now on cutting two different releases: 3.2.0 will contain any non-breaking changes or enhancements. 4.0.0 will follow shortly which will include breaking changes. See the 4.0.0 milestone to get an idea of what's coming. If you have other ideas, or would like to participate in 4.0.0, now's the time. If you depend on this library and don't want to be interrupted, I recommend you use your dependency mangement tool to pin to version 3.

[mihaitodor]

I agree. I opened an issue to keep track of this situation: #779.