Comments (21)
I'd like to explore using square/go-jose and try to fill in the gaps when it's not adhering to best practices that we at least care about for the purposes of the middleware.
from go-jwt-middleware.
Nice job @JayHelton - I left some comments.
I also had a thought while looking over your code: what if instead of depending on a specific package we built an interface? We could then provide some common implementations such as using JWX
. I briefly passed it by @cyx and I think I'll take a spike to see what that interface might look like.
from go-jwt-middleware.
@JayHelton sure, the more ideas the better! 👍 I'd also like to see how many "production grade" services use the libraries as well.
from go-jwt-middleware.
☝️ that's the first pass - sorry I didn't see the message sooner otherwise I would have been down to pair. Feedback in there is appreciated. If it looks like something we want to explore more I can take a pass at a first implementation.
from go-jwt-middleware.
We just released the v2.0.0-beta 🥳 !
You can start testing it by running go get github.com/auth0/go-jwt-middleware/[email protected]
.
In case of issues fetching the v2 you might want to try go clean --modcache
first before doing go get
.
I'm closing this issue as now this is part of v2, but feel free to reopen if needed.
from go-jwt-middleware.
lestrrat-go/jwx would be another option to look at. It is ultimately a more opinionated package than go-jose though.
I can throw up a small poc for it. I have a couple ideas, if that is cool.
JWX provides variadic params for parsing and validating claims on the token, so id like to see if that could be leveraged well, but if we still want to provide a user defined validation func as an option, which i personally like, we can ignore those options
from go-jwt-middleware.
Here is a WIP PoC (i havent touched tests yet) using lestrrat-go/jwx
master...JayHelton:jwx-poc-one
Currently it takes in an array of ValidateOptions which are a JWX interface from the JWT module, and then just the Key as a Option.
We can also bring back the ValidationKeyGetter and provide a more free form token check, which Im going to PoC on a different branch.
I do want to point out that the JWX module does bring a bit of bloat in the modules with it.
from go-jwt-middleware.
Ive done some more stewing on the use of JWX.
lestrrat-go/jwx
does seem to be getting favor in the community.- the maintainer is responsive and consistently doing work in the repo
- the implementation is straightforward, though i would like some thoughts on how idiomatic it is (not a lot of professional go experience)
At first i was skeptical about wanting to change the middlewares interface to take in validation options as an array, instead of exposing a validation func that the token runs through.
Ultimately we can still provide that functionality so the user of the middleware has a nice hook where a user can do whatever they want. Logging, complex validations, etc.
If there are no strong arguments against it, im going to progress more on the PoC above to include some more ideas.
from go-jwt-middleware.
Thanks for taking a stab at this for JWX @JayHelton. I looked over your code and have a couple of comments. Do you think you could open it up as a draft PR here so I (and others) can add the comments inline?
from go-jwt-middleware.
Thanks for taking a stab at this for JWX @JayHelton. I looked over your code and have a couple of comments. Do you think you could open it up as a draft PR here so I (and others) can add the comments inline?
Done! #76
Thank you!
from go-jwt-middleware.
Perfect. I'll take a look this afternoon.
from go-jwt-middleware.
@grounded042 I like that idea!
Then servers could chose whichever impl they feel most confident about.
Im down to rubber ducky if you would like someone to bounce ideas off of.
from go-jwt-middleware.
With this interface setup we could have some first adapters of JWX and square/go-jose.
from go-jwt-middleware.
I've made some good progress on go-jose: v2...jon/go-jose-token-validator
from go-jwt-middleware.
Just to be sure that you are also aware of this. There is currently a discussion going on if (or more how) the community is going to pickup maintaining jwt-go
in dgrijalva/jwt-go#462 after the original author came back from its hiatus and suggested migrating maintenance.
from go-jwt-middleware.
Thanks @oxisto! I think we are set in this regard - we've built the replacement in such a way that you can switch out providers like jwt-go with a small amount of code.
from go-jwt-middleware.
Thanks @oxisto! I think we are set in this regard - we've built the replacement in such a way that you can switch out providers like jwt-go with a small amount of code.
Understood. Is there anything we can do from the jwt-go
side of things, e.g. to write a validator PR similar to the one you have for jose? Or would that be something external to the project? We do have of course some interest to keep the jwt-go
project alive, since it has/had quite a large user base.
Update: I have looked into the interface you have built and spun up a quick implementation of this in https://github.com/oxisto/go-jwt-middleware/tree/jwt-go-validator. It is not yet finished and also still depends on the actual first release of https://github.com/golang-jwt/jwt. I can prepare a PR once that is done.
from go-jwt-middleware.
Is there anything we can do from the
jwt-go
side of things, e.g. to write a validator PR similar to the one you have for jose?
Yes, the contribution of a jwt-go
validator via a PR would be welcome. I took a quick glance at the code you have up and you are on the right track! This is much appreciated 🙇
from go-jwt-middleware.
What else needs to be done to switch over to github.com/golang-jwt/jwt? It appears the linked PR by @mohdrasbi needs to be approved. How can we get this moving?
from go-jwt-middleware.
Ideally this project would not need that PR as we have #86. v2
is feature complete IMO and just needs to be merged in. It already includes golang-jwt/jwt. As I mentioned in #86 I left Auth0 about a month ago so I am no longer maintaining this project, but I do want to see v2
released and did hand the project off before I left.
from go-jwt-middleware.
according to this GHSA-w73w-5m7g-f7qc jwt library updated import path but that import path is still not updated in the master. I saw the PR was out for that any idea how we can use that?
from go-jwt-middleware.
Related Issues (20)
- Missing cookie causes CookieTokenExtractor to return error HOT 7
- Custom `ValidateWithLeeway` in #176 Introduced Breaking Changes to Token Validation HOT 3
- Allow middleware to be used in a gRPC environment HOT 7
- Cannot import internal oidc package HOT 1
- An error occured while validating JWT: jwt invalid: error getting the keys from the key func: could not get well known endpoints from url https:///.well-known/openid-configuration: Get "https:///.well-known/openid-configuration": http: no Host in request URL HOT 3
- Improve performance of JWKS Caching Provider HOT 4
- Support validate multiple issuers HOT 1
- Example for IRIS Framework
- Allow custom http Client to be used by the JWKS Provider HOT 2
- issue with token validator HOT 4
- Audience Check Should Not Be Mandatory HOT 4
- v2.1.0 Diversions from JOSE By validating audiences when none expected HOT 4
- validationKeyGetter - can not use dgrijalva as form3tech-oss Keyfunc value in struct literal HOT 1
- issue with token validator
- go-jose v2 is deprecated, should be upgraded to v3 HOT 2
- Examples do not work. jwtmiddleware missing in v2.2.0 HOT 2
- Support for Gin HOT 2
- newVerifier() function - verificationKey type
- Upgrade `go-jose` from v2 to v4 HOT 2
- Cannot use keyFunc as type func(context.Context)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jwt-middleware.