Is there a ParserOption equivalent?

[sergeybykov]

I can't seem to fine ParserOption and and a set of options that were introduced in this PR.

Specifically, we use WithAudience and WithoutAudienceValidation in our code. Is there a different way to do this after migration or ParserOption functionality should be added to this repo?

[oxisto]

We originated from the original v3 instead of the (experimental) v4 branch. This is why we have not fully implemented the parser options or rather the validation options yet. See #16 and also #139

[sergeybykov]

I see. Does this mean that audience is not currently enforced?
We had to upgrade to v4.0.0-preview1 of github.com/dgrijalva/jwt-go/ a few months ago to ensure that audience is validated and enforced. Should we wait with migration until validators are ported then?

[oxisto]

I see. Does this mean that audience is not currently enforced?

Yes and no. The way it currently works (based on the old 3.x.x) branch, is that Valid() does not check the audience, because it has no extra parameter. You need to explicitly call VerifyAudience with the audience string you expect. This is then equivalent to the WithAudience parser option of the old v4-branch.

We had to upgrade to v4.0.0-preview1 of github.com/dgrijalva/jwt-go/ a few months ago to ensure that audience is validated and enforced. Should we wait with migration until validators are ported then?

If you refer to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160. This has been fixed since the 3.2.1 release of this fork. However, you need to do the Valid/VerifyAudience flow described above instead of the more convenient WithAudience. Because of time constraints working on this, I do not have a good picture with regards to a time-frame for the "new" API.

[sergeybykov]

Perfect. Thank you, @oxisto!