Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use golang-jwt/jwt instead of dgrijalva/jwt-go #424

Merged
merged 1 commit into from
Aug 10, 2021

Conversation

jhernand
Copy link
Collaborator

@jhernand jhernand commented Aug 10, 2021

The dgrijalva/jwt-go library is no longer maintained and golang-jwt/jwt is a
community maintained fork. See dgrijalva/jwt-go#462
for detailts.

Parts of the public interface of the SDK use this library, so this is a
backwards compatibility breaking change. Projects using the SDK will need to
switch to the new library, specially if they are using the
context.ContextWithToken or context.TokenFromContext functions. The change
should only require changing the import paths, as the fork is fully compatible
with the original library.

A simple way to do the required changes is the following command:

$ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|'

This also addresses CVE-2020-26160, but that vulnerability doesn't
currently affect the SDK because the authentication handler doesn't use
the aud claim.

Related: #421
Related: dgrijalva/jwt-go#462
Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160

@jhernand
Copy link
Collaborator Author

@Gundersanne please review.

@jhernand jhernand changed the title Use dgrijalva/jwt instead of golang-jwt/jwt. Use golang-jwt/jwt instead of dgrijalva/jwt-go Aug 10, 2021
The `dgrijalva/jwt-go` library is no longer maintained and `golang-jwt/jwt` is a
community maintained fork. See dgrijalva/jwt-go#462
for detailts.

Parts of the public interface of the SDK use this library, so this is a
backwards compatibility breaking change. Projects using the SDK will need to
switch to the new library, specially if they are using the
`context.ContextWithToken` or `context.TokenFromContext` functions. The change
should only require changing the import paths, as the fork is fully compatible
with the original library.

A simple way to do the required changes is the following command:

```
$ find . -name '*.go' | xargs sed -i 's|dgrijalva/jwt-go|golang-jwt/jwt|'
```

This also addresses CVE-2020-26160, but that vulnerability doesn't
currently affect the SDK because the authentication handler doesn't use
the `aud` claim.

Related: openshift-online#421
Related: dgrijalva/jwt-go#462
Related: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
Signed-off-by: Juan Hernandez <[email protected]>
Copy link
Contributor

@croissanne croissanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you! Grepped through and can't find any other references, nice that it's just a drop-in replacement.

@jhernand jhernand merged commit 624dde3 into openshift-online:master Aug 10, 2021
@jhernand jhernand deleted the use_jwt_fork branch August 10, 2021 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants