Releases: lestrrat-go/jwx
Releases · lestrrat-go/jwx
v2.0.5
v2.0.4
v2.0.4 - 19 Jul 2022
[Bug Fixes]
* [jwk] github.com/lestrrat-go/httprc, which jwk.Cache depends on,
had a problem with inserting URLs to be re-fetched into its queue.
As a result it could have been the case that some JWKS were not
updated properly. Please upgrade if you use jwk.Cache.
* [jwk] cert.Get could fail with an out of bounds index look up
* [jwk] Fix doc buglet in `KeyType()` method
[New Features]
* [jws] Add `jws.WithMultipleKeysPerKeyID()` sub-option to allow non-unique
key IDs in a given JWK set. By default we assume that a key ID is unique
within a key set, but enabling this option allows you to handle JWK sets
that contain multiple keys that contain the same key ID.
* [jwt] Before v2.0.1, sub-second accuracy for time based fields
(i.e. `iat`, `exp`, `nbf`) were not respected. Because of this the code
to evaluate this code had always truncated any-subsecond portion
of these fields, and therefore no sub-second comparisons worked.
A new option for validation `jwt.WithTruncation()` has been added
to workaround this. This option controls the value used to truncate
the time fields. When set to 0, sub-second comparison would be
possible.
FIY, truncatation will still happen because we do not want to
use the monotonic clocks when making comparisons. It's just that
truncating using `0` as its argument effectively only strips out
the monotonic clock
v2.0.3
v2.0.2
v2.0.2 - 23 May 2022
[Bug Fixes][Security]
* [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
where the unpad operation might remove more bytes than necessary (#744)
This affects all jwx code that is available before v2.0.2 and v1.2.25.
[New Features]
* [jwt] RFC3339 timestamps are also accepted for Numeric Date types in JWT tokens.
This allows users to parse servers that errnously use RFC3339 timestamps in
some pre-defined fields. You can change this behavior by setting
`jwt.WithNumericDateParsePedantic` to `false`
* [jwt] `jwt.WithNumericDateParsePedantic` has been added. This is a global
option that is set using `jwt.Settings`
v1.2.25
v1.2.25 23 May 2022
[Bug Fixes][Security]
* [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
where the unpad operation might remove more bytes than necessary (#744)
This affects all jwx code that is available before v2.0.2 and v1.2.25.
v1.2.24
v2.0.0
v2 has many incompatibilities with v1. To see the full list of differences between
v1 and v2, please read the Changes-v2.md file (https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes-v2.md)
v2.0.0 - 24 Apr 2022
* This i the first v2 release, which represents a set of design changes
that were learnt over the previous 2 years. As a result the v2 API
should be much more consistent and uniform across packages, and
should be much more flexible to accomodate real-world needs.
For a complete list of changes, please see the Changes-v2.md file,
or check the diff at https://github.com/lestrrat-go/jwx/compare/v1...v2
[Miscellaneous]
* Minor house cleaning on code generation tools
[jwt]
* `jwt.ErrMissingRequiredClaim()` has been added
v2.0.0-beta2
v2.0.0-beta2 - 16 Apr 2022
[jwk]
* Updated `jwk.Set` API and reflected pending changes from v1 which were
left over. Please see Changes-v2.md file for details.
* Added `jwk.CachedSet`, a shim over `jwk.Cache` that allows you to
have to write wrappers around `jwk.Cache` that retrieves a particular
`jwk.Set` out of it. You can use it to, for example, pass `jwk.CachedSet`
to a `jws.Verify`
cache := jwk.NewCache(ctx)
cache.Register(ctx, jwksURL)
cachedSet := jwk.NewCachedSet(cache, jwksURL)
jws.Verify(signed, jws.WithKeySet(cachedSet))
v1.2.23
v2.0.0-beta1
v2.0.0-beta1 - 09 Apr 2022
[Miscellaneous]
* Renamed Changes.v2 to Changes-v2.md
* Housecleaning for lint action.
* While v2 was not affected, ported over equivalent test for #681 to catch
regressions in the future.
* Please note that there is no stability guarantees on pre-releases.