Use golang-jwt/jwt
instead of dgrijalva/jwt-go
#424
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
dgrijalva/jwt-go
library is no longer maintained andgolang-jwt/jwt
is acommunity maintained fork. See dgrijalva/jwt-go#462
for detailts.
Parts of the public interface of the SDK use this library, so this is a
backwards compatibility breaking change. Projects using the SDK will need to
switch to the new library, specially if they are using the
context.ContextWithToken
orcontext.TokenFromContext
functions. The changeshould only require changing the import paths, as the fork is fully compatible
with the original library.
A simple way to do the required changes is the following command:
This also addresses CVE-2020-26160, but that vulnerability doesn't
currently affect the SDK because the authentication handler doesn't use
the
aud
claim.Related: #421
Related: dgrijalva/jwt-go#462
Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160