Releases: lestrrat-go/jwx
Releases · lestrrat-go/jwx
v1.2.13
v1.2.13 07 Dec 2021
[New Features]
* `jwt` package now has a `Builder` that may make it easier to programmatically
create a JWT for some users.
* `jwt` errors now can be distinguished between validation errors and others.
Use `jwt.IsValidationError()` to check if it's a validation error, and then
use `errors.Is()` to check if it's one of the known (oft-used) errors
v1.2.12
v1.2.12 01 Dec 2021
[New Features]
* `jwk.Set` can now parse private parameters. For example, after parsing
a JWKS serialized as `{"foo": "bar", "keys": [...]}`, users can get to
the value of `"foo"` by calling `set.Field("foo")`
* `jwk.Set` now has `Set()` method to set field values.
v1.2.11
v1.2.11 14 Nov 2021
[Security Fix]
* It was reported that since v1.2.6, it was possible to craft
a special JSON object to bypass JWT verification via `jwt.Parse`.
If you relied on this module to perform all the verification,
upgrade is strongly recommended.
v1.2.10
v1.2.9
v1.2.8
v1.2.8 21 Oct 2021
[Miscellaneous]
* `jws.Message`, `jws.Signature`, `jws.Headers` have been reworked
to allow JSON messages to be verified correctly. The problem can
be caused when protected headers are serialized one way (perhaps
`{"c":3","a":1,"b":2}` was used before being base64-encoded) but
the Go serialization differed from it (Go serializes in alphabetical
order: `{"a":1,"b":2,"c":3}`)
Messages serialized in compact form do NOT suffer from the
same problem.
This is close to fixes that went in v1.2.2. It boils down to the
fact that once deserialized, the JWS messages lose part of its
information (namely, the raw, original protected header value),
and neither users nor the developers of this library should
rely on it.
* Code generation has be refactored. The main go.mod should now
have slightly less dependencies.
v1.2.7
Lots of usability improvements around jwt.Parse()
and jwt.Validate()
!
v1.2.7 26 Sep 2021
[New features]
* `jwt.InferAlgorithmFromKey()` option is now available to "guess"
the algorithm used to verify the JWS signature on a JWT using
a JWKS (key set). This allows you to match JWKs that do not have
the `alg` field populated.
We understand that some providers do not provide the `alg` field,
which is a nuisance to users. But from a purely security minded PoV,
we don't think that this "try until something works" approach is a
good one, even if there are no known exploits. This is why the
default `jwt.Parse` mechanism is unchanged, and an explicit option
has been added.
* Types `jwt.KeySetProvider` and `jwk.KeySetProviderFunc` have been
added. Along with `jwt.WithKeySetProvider()` option, `jwt.Parse`
can now choose the `jwk.Set` to use for signature verification
dynamically using the UNVERFIEID token as a clue.
You should NOT trust the token information too much. For example,
DO NOT directly use values from the token as verificatin parameters
(such as the signature algorithm)
* `jwt.WithValidator()` has been added to allow users pass in aribtrary
validation code to the `jwt.Validate()` method.
It is also now possible to pass in a `context.Context` object to
`jwt.Validate()` using `jwt.WithContext()` option.
v1.2.6
v1.2.6 24 Aug 2021
[New features]
* Support `crypto.Signer` keys for RSA, ECDSA, and EdDSA family
of signatures in `jws.Sign`
[Miscellaneous]
* `jwx.GuessFormat()` now requires the presense of both `payload` and
`signatures` keys for it to guess that a JSON object is a JWS message.
* Slightly enhance `jwt.Parse()` performance.
v1.2.5
v1.2.5 04 Aug 2021
[New features]
* Implement RFC7797. The value of the header field `b64` changes
how the payload is treated in JWS
* Implement detached payloads for JWS
* Implement (jwk.AutoRefresh).ErrorSink() to register a channel
where you can receive errors from fetches and parses that occur during
JWK(s) retrieval.
v1.2.4
v1.2.4 15 Jul 2021
[Bug fixes]
* We had the same off-by-one in another place and jumped the gun on
releasing a new version. At least we were making mistakes uniformally :/
`(jwk.Set).Remove` should finally be fixed.
[New features]
* `(jwk.Set).Clone()` has been added.