chore: update golang-jwt to v5 (#1171)

David-Wobrock · web-flow · commit 361177a1f8d3 · 2024-09-23T10:04:19.000+02:00
diff --git a/credentials/signer.go b/credentials/signer.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"net/url"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 type Signer interface {
diff --git a/credentials/signer_default.go b/credentials/signer_default.go
@@ -11,7 +11,7 @@ import (
 	"reflect"
 
 	"github.com/go-jose/go-jose/v3"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ed25519"
 )
diff --git a/credentials/signer_default_integration_test.go b/credentials/signer_default_integration_test.go
@@ -9,7 +9,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/ory/oathkeeper/internal"
 )
diff --git a/credentials/signer_default_test.go b/credentials/signer_default_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 
diff --git a/credentials/verifier.go b/credentials/verifier.go
@@ -7,7 +7,7 @@ import (
 	"context"
 	"net/url"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/ory/fosite"
 )
diff --git a/credentials/verifier_default.go b/credentials/verifier_default.go
@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 
 	"github.com/ory/fosite"
@@ -82,14 +82,14 @@ func (v *VerifierDefault) Verify(
 		}
 
 		return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf(`The signing key algorithm does not match the algorithm from the token header.`))
-	})
+	}, jwt.WithIssuedAt())
 	if err != nil {
-		if e, ok := errors.Cause(err).(*jwt.ValidationError); ok {
-			if _, ok := errors.Cause(e.Inner).(*herodot.DefaultError); !ok {
-				return nil, herodot.ErrInternalServerError.WithErrorf(e.Error()).WithTrace(err)
-			}
-
-			return nil, e.Inner
+		if errors.Is(err, jwt.ErrTokenUnverifiable) ||
+			errors.Is(err, jwt.ErrTokenUnverifiable) ||
+			errors.Is(err, jwt.ErrTokenSignatureInvalid) ||
+			errors.Is(err, jwt.ErrTokenInvalidClaims) ||
+			errors.Is(err, jwt.ErrTokenMalformed) {
+			return nil, herodot.ErrInternalServerError.WithErrorf(err.Error()).WithTrace(err)
 		}
 		return nil, err
 	} else if !t.Valid {
diff --git a/credentials/verifier_default_test.go b/credentials/verifier_default_test.go
@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
diff --git a/go.mod b/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/go-swagger/go-swagger v0.30.0
 	github.com/gobuffalo/httptest v1.5.2
 	github.com/gobwas/glob v0.2.3
-	github.com/golang-jwt/jwt/v4 v4.4.3
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2
 	github.com/golang/mock v1.6.0
 	github.com/google/go-replayers/httpreplay v1.1.1
diff --git a/go.sum b/go.sum
@@ -409,8 +409,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2 h1:xisWqjiKEff2B0KfFYGpCqc3M3zdTz+OHQHRc09FeYk=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
diff --git a/pipeline/authn/authenticator_jwt.go b/pipeline/authn/authenticator_jwt.go
@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel/trace"
 
@@ -130,7 +130,7 @@ func (a *AuthenticatorJWT) Authenticate(r *http.Request, session *Authentication
 }
 
 func (a *AuthenticatorJWT) tryEnrichResultErr(token string, err *herodot.DefaultError) *herodot.DefaultError {
-	t, _ := jwt.ParseWithClaims(token, jwt.MapClaims{}, nil)
+	t, _ := jwt.ParseWithClaims(token, jwt.MapClaims{}, nil, jwt.WithIssuedAt())
 	if t == nil {
 		return err
 	}
diff --git a/pipeline/authn/authenticator_jwt_test.go b/pipeline/authn/authenticator_jwt_test.go
@@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/tidwall/sjson"
 
 	"github.com/ory/herodot"
diff --git a/pipeline/mutate/mutator_id_token.go b/pipeline/mutate/mutator_id_token.go
@@ -15,7 +15,7 @@ import (
 
 	"github.com/dgraph-io/ristretto"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/pborman/uuid"
 	"github.com/pkg/errors"
diff --git a/pipeline/mutate/mutator_id_token_test.go b/pipeline/mutate/mutator_id_token_test.go
@@ -22,7 +22,7 @@ import (
 	"github.com/ory/oathkeeper/x"
 	"github.com/ory/x/configx"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/ory/oathkeeper/credentials"
 	"github.com/ory/oathkeeper/driver/configuration"
diff --git a/test/e2e/okclient/main.go b/test/e2e/okclient/main.go
@@ -13,7 +13,7 @@ import (
 	"time"
 
 	"github.com/go-jose/go-jose/v3"
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/ory/oathkeeper/x"
 	"github.com/ory/x/cmdx"

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"context"`
`8`	`8`	`"net/url"`
`9`	`9`
`10`		`- "github.com/golang-jwt/jwt/v4"`
	`10`	`+ "github.com/golang-jwt/jwt/v5"`
`11`	`11`	`)`
`12`	`12`
`13`	`13`	`type Signer interface {`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`"reflect"`
`12`	`12`
`13`	`13`	`"github.com/go-jose/go-jose/v3"`
`14`		`- "github.com/golang-jwt/jwt/v4"`
	`14`	`+ "github.com/golang-jwt/jwt/v5"`
`15`	`15`	`"github.com/pkg/errors"`
`16`	`16`	`"golang.org/x/crypto/ed25519"`
`17`	`17`	`)`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`"testing"`
`10`	`10`	`"time"`
`11`	`11`
`12`		`- "github.com/golang-jwt/jwt/v4"`
	`12`	`+ "github.com/golang-jwt/jwt/v5"`
`13`	`13`
`14`	`14`	`"github.com/ory/oathkeeper/internal"`
`15`	`15`	`)`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ import (`
`9`	`9`	`"net/http"`
`10`	`10`	`"strings"`
`11`	`11`
`12`		`- "github.com/golang-jwt/jwt/v4"`
	`12`	`+ "github.com/golang-jwt/jwt/v5"`
`13`	`13`	`"github.com/pkg/errors"`
`14`	`14`	`"go.opentelemetry.io/otel/trace"`
`15`	`15`
`@@ -130,7 +130,7 @@ func (a AuthenticatorJWT) Authenticate(r http.Request, session *Authentication`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`func (a AuthenticatorJWT) tryEnrichResultErr(token string, err herodot.DefaultError) *herodot.DefaultError {`
`133`		`- t, _ := jwt.ParseWithClaims(token, jwt.MapClaims{}, nil)`
	`133`	`+ t, _ := jwt.ParseWithClaims(token, jwt.MapClaims{}, nil, jwt.WithIssuedAt())`
`134`	`134`	`if t == nil {`
`135`	`135`	`return err`
`136`	`136`	`}`