Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2 features #86

Closed
17 of 21 tasks
grounded042 opened this issue Apr 23, 2021 · 34 comments
Closed
17 of 21 tasks

v2 features #86

grounded042 opened this issue Apr 23, 2021 · 34 comments
Assignees
Milestone

Comments

@grounded042
Copy link
Contributor

grounded042 commented Apr 23, 2021

This issue is here to list out all of the features we're working towards in v2. We have the milestone and I wanted to create an issue to explicitly call out everything we are working towards. Things can be checked off once they are merged into the v2 branch.

core features

validation features

before launch

  • update all documentation here (use go doc)
  • examples for popular http frameworks
  • update main Auth0 docs
  • update Auth0 quickstarts
  • create migration guide add a migration guide #99
  • blog post about release
@grounded042 grounded042 added this to the v2 milestone Apr 23, 2021
@jfatta jfatta self-assigned this Apr 30, 2021
@achandak123
Copy link

Any timeline for the V2 version? This version doesnt support list of audiences and custom claims. Hope V2 supports that.

@grounded042
Copy link
Contributor Author

Hey @achandak123! We don't have an official timeline, but I'm hoping for June/July of this year (hopefully sooner). I have a somewhat messy PR open into the v2 branch that, among other things, adds support for a list of audiences and custom claims. I'm hoping to clean that PR up by next weekend. Feel free to take a look if you'd like, but again, it's kind of messy and lacks some good examples: #84

@grounded042
Copy link
Contributor Author

Hey @achandak123 we are getting close to releasing v2. We would love if you were able to test out some of the changes we've made if you have some time.

@grounded042
Copy link
Contributor Author

grounded042 commented Jul 16, 2021

The best way to test is to use go get github.com/auth0/go-jwt-middleware@b4ac45bdac0c0ff483a0e3958a3368b6a68ad506 in your project. You might need to change the hash after the @ to whatever the latest commit on the v2 branch is: https://github.com/auth0/go-jwt-middleware/commits/v2.

Then you should be able to follow the migration guide for info on what has changed: https://github.com/auth0/go-jwt-middleware/tree/v2#migration-guide

@grounded042
Copy link
Contributor Author

We are close to releasing v2. The plan right now is to test throughout the month of August and then release it in early September.

@zeigernz
Copy link

zeigernz commented Aug 6, 2021

Can't wait for the new version!

@tommyk
Copy link

tommyk commented Aug 6, 2021

i wrote a gin middleware using this v2. the way this works with the error handler makes the code feel kind of funky, but it does work though. i will create another issue to show the code and ask input about what i noticed.

thanks for the hard work!

@brumhard
Copy link

Hi there,

I've just tested the new v2 and it seems to work great, I really like the changes especially the support for jwks out of the box.

One little thing I stumbled across is the new JWKSProvider, which takes the issuer URL and looks up the jwks URL from the oidc configuration. Sadly in my case no such endpoint is provided by the issuer. That's why it would be great if you could support directly passing the actual URL for the jwks endpoint instead of the issuer.

@avelino
Copy link

avelino commented Sep 6, 2021

is there an estimated release date for version 2?

@grounded042
Copy link
Contributor Author

@avelino due to some internal changes at Auth0 we're pushing the release back a bit. We'll get you an estimated date when we know more.

@avelino
Copy link

avelino commented Sep 14, 2021

@grounded042 If you need me to help you maintain go-jwt-middleware

@brumhard
Copy link

@grounded042 Are there any updates on this? I would love to use the new version 🚀

@grounded042
Copy link
Contributor Author

Hey @brumhard - I left Auth0 a month ago and am no longer working on this, however I did hand it off before I left. My hope is that they can pick this up and merge it in soon.

@brumhard
Copy link

@grounded042 alright thanks for the info and good luck for your new work 🙂

@sergiught
Copy link
Contributor

Hello everyone, really appreciate the patience around the v2 release! We'll be taking over the work on this within the next couple of weeks. So stay tuned 📺

@truescotian
Copy link

Hey @sergiughf, the migration guide references how to use v2 at very high level, but then link to v1 and godocs state v1.0.1 is the latest. Is there any guidance on viewing v2 docs to help with migration?

@sergiught
Copy link
Contributor

Hey @truescotian, really appreciate you taking a look at that guide! We merged the v2 branch into master but we did not officially release v2 yet as we are running a couple of last mile checks to ensure we did not miss anything. Once all last pieces fall into place we'll do the official release. We really appreciate everyone's patience! V2 release is extremely close, just 🐻 with us a tiny bit longer.

However if you want to already check the v2 docs you can do the following right now:

go install golang.org/x/tools/cmd/godoc
godoc -http=127.0.0.1:6060

And then you can view the docs at http://localhost:6060/pkg/github.com/auth0/go-jwt-middleware/

@sergiught
Copy link
Contributor

sergiught commented Nov 5, 2021

Hello everyone,

I'd like to give you all a quick update from our side on what's happening right now with v2.

We're in the process of performing a couple of internal checks we have for every major release. The soft deadline we set internally for releasing the next major version is the week starting November 15th.

The release will be a beta one and tagged with v2.0.0-beta. So we can give everyone a lengthier time to test the new major and rule out any potential issues. This means that by default when using go get github.com/auth0/go-jwt-middleware version 1.0.1 will still get fetched. To use the v2.0.0-beta you will explicitly have to set the version tag when you use go get as such: go get github.com/auth0/[email protected]. Please check out the migration guide to ensure your upgrade goes as smoothly as possible, as there are a few breaking changes.

Meanwhile we're also discussing @brumhard 's request over here #86 (comment) and see how we can introduce that into the beta release.

We really appreciate everyone's patience around this! We will be trying to post more regular status updates on everything that's happening under the scenes.

@avelino
Copy link

avelino commented Nov 5, 2021

@sergiughf

❯ prest (avelino/change-jwt-package) ✘ go get github.com/auth0/[email protected]
go: errors parsing go.mod:
/Users/thiago.avelino/projects/prest/prest/go.mod:6:5: require github.com/auth0/go-jwt-middleware: version "v2.0.0-beta" invalid: should be v0 or v1, not v2
❯ prest (avelino/change-jwt-package) ✘

@sergiught
Copy link
Contributor

Hey @avelino, apologies for the confusion. I should have been more clear in explaining that only once our internal checks are finished we can release the v2.0.0-beta tag. 🙇🏻 For now please use go get github.com/auth0/go-jwt-middleware@42d45ca897dd702bdf283002f529d5e02dabf86a which is the hash of the latest commit on master (v2 material).

@avelino
Copy link

avelino commented Nov 25, 2021

The soft deadline we set internally for releasing the next major version is the week starting November 15th.

@sergiughf, do you have news about the new version?

I am not just charging but showing interest in contributing if you need help

We use auth0/go-jwt-middleware at pREST (prest/prest#600) and I don't think it's worth switching to another middleware, so I'm available to help.

@sergiught
Copy link
Contributor

Hey @avelino, first of all I really appreciate the availability to support this project. I'll be having additional info regarding the new version on Thursday (2nd Dec) after I'll sync with the team responsible for the internal checks. Unfortunately this is taking longer than expected due to the internal company holiday we had for the week of thanksgiving. Rest assured however that we're still pushing through as fast as we can. I've been merging a couple of updates the past dates but I'm just waiting to cut the release after the internal approval.

@sergiught
Copy link
Contributor

sergiught commented Dec 3, 2021

Hey folks,

So a quick update, we expect to get internal clearance early next week after which we'll be able to cut the new v2.0.0-beta release. We'll keep the beta version around for 1-2 month(s) to give everyone time to test it, after which we'll promote it to v2.0.0.

screen-gif

@avelino
Copy link

avelino commented Dec 3, 2021

Congrats @sergiughf and teams 🎉

@avelino
Copy link

avelino commented Dec 3, 2021

@sergiughf you could generate a git tag in pre-release, so you can test it using go mod

@sergiught
Copy link
Contributor

Hey @avelino, appreciate the link! The v2.0.0-beta will be indeed a pre-release.

@grounded042
Copy link
Contributor Author

This is awesome! So glad this is getting released.

@sergiught
Copy link
Contributor

Hello folks,

We just released the v2.0.0-beta 🥳 !

You can start testing it by running go get github.com/auth0/go-jwt-middleware/[email protected].

In case of issues fetching the v2 you might want to try go clean --modcache first before doing go get.

I'll be closing this issue soon as we'll focus on issues raised from the beta phase.

We really appreciate everyones patience around this and all the contributions, and also all the hard work @grounded042 put into the v2 as well! It wouldn't have been able to get to this point without your contribution! 🙇🏻

@jamra
Copy link

jamra commented Dec 8, 2021

There doesn't seem to be a way to get the User out of the Context. The previous methods with Claims don't work.

Basically claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims) doesn't work. It returns nil

@sergiught
Copy link
Contributor

Hey @jamra, thanks for reporting this. Could you kindly open a bug issue so we can target support on this and provide us with further information like:

  • Describe the problem
  • What was the expected behavior?
  • Reproduction sample
  • Environment

Usually if your code ends up executing inside the handler it's safe to assume the validation has passed successfully and the token has been assigned as a value to the request context over here: https://github.com/auth0/go-jwt-middleware/blob/master/middleware.go#L89 as an instance of validator.ValidatedClaims. When setting up the validator if we pass WithClaims as an option the validator.ValidatedClaims.CustomClaims will get populated with the struct passed, however we will always have access to the RegisteredClaims.

claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims) is usually nil when the route is not correctly set up and the request passed through the chain of middlewares and handlers is interrupted.

For examples, following our BETA Quickstart from https://auth0.com/docs/quickstart/backend/golang-beta, if we don't execute this line here within the sample https://github.com/auth0-samples/auth0-golang-api-samples/blob/57e3d31f9d4f12946870cb02c230c77e1f5fde4f/01-Authorization-RS256-BETA/middleware/jwt.go#L75 the request that the gin Handler will have access to, won't have the ContextKey within it.

Hope this helps, but if not please open a separate issue to discuss this further:)

@avelino
Copy link

avelino commented Dec 9, 2021

@sergiughf Create a issue label to mark the issues that is from v2 or v1, so we can identify it easier

@jamra
Copy link

jamra commented Dec 9, 2021

For anyone who comes across this while searching, the issue was in porting the gin code over to my code.

var authMiddleware = func(h Handler) Handler {
		issuerURL, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/")
		if err != nil {
			log.Fatalf("Failed to parse the issuer url: %v", err)
		}

		provider := jwks.NewCachingProvider(issuerURL, 5*time.Minute)

		jwtValidator, err := validator.New(
			provider.KeyFunc,
			validator.RS256,
			issuerURL.String(),
			[]string{os.Getenv("AUTH0_AUDIENCE")},
			validator.WithCustomClaims(&CustomClaims{}),
			validator.WithAllowedClockSkew(time.Minute),
		)
		if err != nil {
			log.Fatalf("Failed to set up the jwt validator")
		}

		errorHandler := func(w http.ResponseWriter, r *http.Request, err error) {
			fmt.Println("error:", err)
			log.Printf("Encountered error while validating JWT: %v", err)
		}

		middleware := jwtmiddleware.New(
			jwtValidator.ValidateToken,
			jwtmiddleware.WithErrorHandler(errorHandler),
		)

		return func(w http.ResponseWriter, r *http.Request) error {
			var encounteredError = true
			var handler http.HandlerFunc = func(w http.ResponseWriter, r *http.Request) {
				encounteredError = false
				// user := r.Context().Value(jwtmiddleware.ContextKey{})
				// fmt.Println("user:", user)

				h(w, r)
			}

			middleware.CheckJWT(handler).ServeHTTP(w, r)

			if encounteredError {
				return errors.New("encountered error")
				// ctx.AbortWithStatusJSON(
				// 	http.StatusUnauthorized,
				// 	map[string]string{"message": "Failed to validate JWT."},
				// )
			}

			// return h(w, r)
			return nil

		}
	}

Here I created my own middleware and used my own Handler that returns an error so I can log my errors in one place. You can just use http.Handler and not return from this function. My previous mistake was calling the handler from the function I'm returning instead of the one that sets encounteredError = false I now have the context.

@sergiught
Copy link
Contributor

sergiught commented Dec 9, 2021

@jamra That's amazing 🥳 ! Thank you so much for going the extra mile and providing this visibility for everyone! It really means a lot!

Also apologies for derailing this a bit, but perhaps you all would prefer if we showcase the middleware within our quickstarts just using a regular net/http mux compatible router instead of gin? We opted for gin as it's one of the most popular web frameworks for go right now but if this increases confusion we can keep being compatible with the stdlib instead. Would appreciate if you just react to my message with a 👍🏻 if you agree.

@jamra
Copy link

jamra commented Dec 9, 2021

Another thing I would like to see is the validation of ID tokens. There are methods deeper inside the middleware that just use jwt and jose to do so, but it would require a similar setup with the keyFunc and whatnot. I'm trying to use the ID token to get basic info about the user to be stored for future user communication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants