Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High severity issue in github.com/dgrijalva/jwt-go #394

Closed
sagikazarmark opened this issue Nov 19, 2020 · 7 comments · Fixed by #399 or #545
Closed

High severity issue in github.com/dgrijalva/jwt-go #394

sagikazarmark opened this issue Nov 19, 2020 · 7 comments · Fixed by #399 or #545
Labels
enhancement New feature or request pinned The issue must not be marked as stale

Comments

@sagikazarmark
Copy link
Contributor

There is an unpatched, high severity issue in the aforementioned JWT package: dgrijalva/jwt-go#428

Unfortunately, it looks like the author completely abandoned the package.

There is a maintained fork that fixes the issue, but a lot of users seem to prefer gopkg.in/square/go-jose.v2 now.

@dunglas
Copy link
Owner

dunglas commented Nov 25, 2020

AFAIU, we aren't affected by the security issue because we don't rely on audiences.

@dunglas
Copy link
Owner

dunglas commented Jan 6, 2021

I would like to migrate to https://github.com/square/go-jose. This should also fix #404.

@dunglas dunglas reopened this Jan 6, 2021
@divine
Copy link
Contributor

divine commented Jan 7, 2021

I would like to migrate to https://github.com/square/go-jose. This should also fix #404.

@dunglas 👋,

I think there are some conflicts with maintenance and it doesn't look good that main contributor left the company and it isn't being taken care square/go-jose#342 (comment)

Maybe as suggested this one is better https://github.com/lestrrat-go/jwx?

Thanks!

@stale
Copy link

stale bot commented Mar 9, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Mar 9, 2021
@stale stale bot closed this as completed Mar 16, 2021
@dunglas dunglas reopened this Mar 16, 2021
@stale stale bot removed the wontfix This will not be worked on label Mar 16, 2021
@dunglas dunglas added the pinned The issue must not be marked as stale label Apr 1, 2021
@dunglas
Copy link
Owner

dunglas commented Apr 1, 2021

Related:

Currently, there is no clear winner between all the proposed replacements.
I proposed a patch to form3tech's to fix #404: form3tech-oss/jwt-go#11

I'll use my own fork until it is merged (#491), and we'll switch either to form3tech's fork, JWX or Square's lib (but this one looks unmaintained too) when a clear winner will emerge.

@sagikazarmark
Copy link
Contributor Author

Looks like go-jose v3 is just around the corner: https://github.com/go-jose/go-jose/releases

@townsymush
Copy link

I think this might be the option going forward https://github.com/golang-jwt/jwt. It's a direct form from the dgrijalva/jwt-go and is now being maintained. It would probably involve a lot less commitment to switch too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request pinned The issue must not be marked as stale
Projects
None yet
4 participants