fix(deps): update module github.com/micahparks/keyfunc to v1.9.0 #573
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/git.luolix.top-micahparks-keyfunc-1.x
branch
2 times, most recently
from
e912f2d to
da69481
Compare
renovate
bot
force-pushed
the
renovate/git.luolix.top-micahparks-keyfunc-1.x
branch
from
da69481 to
310a90d
Compare
hannesg
approved these changes
Mar 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.2.2->v1.9.0Release Notes
MicahParks/keyfunc
v1.9.0: Multiple JWK Set supportCompare Source
The purpose of this release is to add support for multiple JWK Sets. Through the use of the new
keyfunc.GetMultiplefunction, package users can now specify multiple remote JWK Set resources and produce onejwt.Keyfunc.It is not recommended to use the
RefreshUnknownKIDfield onkeyfunc.Optionfield when using multiple JWK Sets.Thank you to @aklinkert for this feature request!
Related issues:
Related pull requests:
v1.8.0: Allow manual refresh of a remote JWKS resourceCompare Source
The purpose of this release is to add a method to manually refresh the remote JWKS resource. This can bypass the rate limit, if the option is set.
Please see the new
.Refreshmethod.Related issues:
Related pull requests:
v1.7.0: Allow JWKS JSON to be made into Given KeysCompare Source
The purpose of this release is to add a function that can transform raw JWKS JSON into
map[string]keyfunc.GivenKey. This supports the use case where JWKS JSON is given, but a remote resource is also needed viakeyfunc.Get. Themap[string]keyfunc.GivenKeycan be passed via theGivenKeysfield in thekeyfunc.Optionsargument.Thank you to @sean-rn for this contribution!
Related issues:
Related pull requests:
v1.6.0: Specify signing algorithm for given keysCompare Source
The purpose of this release is to allow package users to specify which signing algorithms in JWT headers are required for which given keys. Keys from a remote JWK Set had their algorithm checked in release 1.5.2. For discussion, please see the related issue.
Thank you to our new contributor, @sean-rn!
Please note the following functions have been deprecated and replaced:
NewGivenCustom-->NewGivenCustomWithOptionsNewGivenECDSA-->NewGivenECDSAWithOptionsNewGivenEdDSA-->NewGivenEdDSAWithOptionsNewGivenHMAC-->NewGivenHMACWithOptionsNewGivenRSA-->NewGivenRSAWithOptionsThis is a consequence of not providing options for given keys in the initial implementation.
Related issues:
Related pull requests:
v1.5.3: Handle invalid ECDSA curve in JWKCompare Source
The purpose of this pull request is to add a a
defaultswitchcase for ECDSA curve selection. Previously, if an invalid or emptycrvJWK parameter was given for an ECDSA key, there would be anilpointer dereference panic. You can find more information about validcrvECDSA JWK parameters in this RFC: https://www.rfc-editor.org/rfc/rfc7518#section-6.2.1.1Thank you to our new contributor, @btoews!
Related pull requests:
v1.5.2: Confirm JWK algorithmCompare Source
The purpose of this release is to confirm the
algparameter in a JWK matches thealgin a JWT's header before returning that JWK's public key for signature verification. For discussion, please see the related issue.Thank you, @sermojohn for opening this issue!
Related issues:
Related pull requests:
v1.5.1: JSON Web Keys restricted by "use" parameterCompare Source
The purpose of this PR is to restrict what keys are returned by the
.Keyfuncmethod based on their JWK's"use"parameter's value.Two new
keyfunc.Optionsfields have been added:JWKUseWhitelistJWKUseNoWhitelistThe default behavior of this package has changed to enhance the security of this package. The new default behavior will return
keyfunc.ErrJWKUseWhitelistif a JWT has been signed by a parsed JWK whose"use"parameter value is not"sig", the empty string"", or a JWK with no"use"parameter. If your use case involved a custom JWK"use"parameter value, you will need to specify your custom value(s) in the newJWKUseWhitelistfield on thekeyfunc.Optionsdata structure.The previous default behavior would not cause an error if a JWK's
"use"parameter's value was"enc", which would be an improper JWK for signing a JWT. See https://tools.ietf.org/html/rfc7517#section-4.2Thank you to our new contributor, @trevorlyman!
Relevant pull requests:
Relevant issues:
v1.5.0Compare Source
v1.4.0: Check HTTP status codeCompare Source
The purpose of this release is to change the default behavior of the
ResponseExtractorto use thekeyfunc.ResponseExtractorStatusOKfunction. Changing the default behavior is being treated as a bug fix. This release also fixes a bug withinkeyfunc.ResponseExtractorStatusOK, which didn't close the HTTP response body (resource leak) that only affectedv1.3.0, which is now retracted in thego.mod.This release also contains:
ResponseExtractorStatusAny. This is a helper function that uses the old behavior of ignoring the HTTP status code in when extracting the JWKS JSON from the response..Len. This method returns the number of keys in the JWKS.Relevant pull requests:
Relevant issues:
v1.3.0: Add response extractorCompare Source
Edit: This release has been retracted due to a bug in
ResponseExtractorStatusOKnot closing the response body. Please upgrade tov1.4.0.The purpose of this release is to allow for custom HTTP response extractors. A response extractor is responsible for consuming an
*http.Responseand producing the raw JWK Set JSON. It is also responsible for closing the body of the*http.Response.I plan on following up this release with
v1.3.1soon. This upcoming release will change the default behavior of how the package handles HTTP response codes, returning a non-nil error in cases such as a500HTTP response code.New additions:
keyfunc.Optionshas a new field namedResponseExtractorthat, when provided, is responsible for the behavior described above.keyfunc.ResponseExtractorStatusOKis a helper function to fit into theResponseExtractorfield inkeyfunc.Options.Relevant pull requests:
Relevant issues:
Configuration
📅 Schedule: Branch creation - "before 12pm on Tuesday,before 12pm on Friday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.