diff --git a/go.mod b/go.mod index bff421fc..b4743944 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/go-chi/chi/v5 v5.1.0 - github.com/golang-jwt/jwt/v4 v4.2.0 + github.com/golang-jwt/jwt/v5 v5.2.1 github.com/gorilla/mux v1.6.2 github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1 github.com/gorilla/sessions v1.1.1 diff --git a/go.sum b/go.sum index 75497ee0..40b2e076 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= diff --git a/providers/apple/apple.go b/providers/apple/apple.go index 9ab85b4c..cd3926b7 100644 --- a/providers/apple/apple.go +++ b/providers/apple/apple.go @@ -13,7 +13,7 @@ import ( "strings" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/markbates/goth" "golang.org/x/oauth2" ) diff --git a/providers/apple/session.go b/providers/apple/session.go index e80e1bab..becfef36 100644 --- a/providers/apple/session.go +++ b/providers/apple/session.go @@ -10,7 +10,7 @@ import ( "fmt" "time" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/lestrrat-go/jwx/jwk" "github.com/markbates/goth" "golang.org/x/oauth2" @@ -48,7 +48,7 @@ func (s Session) Marshal() string { } type IDTokenClaims struct { - jwt.StandardClaims + jwt.RegisteredClaims AccessTokenHash string `json:"at_hash"` AuthTime int `json:"auth_time"` Email string `json:"email"` @@ -80,17 +80,10 @@ func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, idToken, err := jwt.ParseWithClaims(idToken.(string), &IDTokenClaims{}, func(t *jwt.Token) (interface{}, error) { kid := t.Header["kid"].(string) claims := t.Claims.(*IDTokenClaims) - vErr := new(jwt.ValidationError) - if !claims.VerifyAudience(p.clientId, true) { - vErr.Inner = fmt.Errorf("audience is incorrect") - vErr.Errors |= jwt.ValidationErrorAudience - } - if !claims.VerifyIssuer(AppleAudOrIss, true) { - vErr.Inner = fmt.Errorf("issuer is incorrect") - vErr.Errors |= jwt.ValidationErrorIssuer - } - if vErr.Errors > 0 { - return nil, vErr + validator := jwt.NewValidator(jwt.WithAudience(p.clientId), jwt.WithIssuer(AppleAudOrIss)) + err := validator.Validate(claims) + if err != nil { + return nil, err } // per OpenID Connect Core 1.0 ยง3.2.2.9, Access Token Validation @@ -98,9 +91,7 @@ func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string, halfHash := hash[0:(len(hash) / 2)] encodedHalfHash := base64.RawURLEncoding.EncodeToString(halfHash) if encodedHalfHash != claims.AccessTokenHash { - vErr.Inner = fmt.Errorf(`identity token invalid`) - vErr.Errors |= jwt.ValidationErrorClaimsInvalid - return nil, vErr + return nil, fmt.Errorf(`identity token invalid`) } // get the public key for verifying the identity token signature