Skip to content

Releases: lestrrat-go/jwx

v1.2.17

Choose a tag to compare

@lestrrat lestrrat released this 12 Jan 10:12
v1.2.17 12 Jan 2022
[Miscellaneous]
  * Re-release v1.2.16 as v1.2.17 because of an error in the release process.
    The code is exactly the same as what v1.2.16 intended to release.
    v1.2.16 has been retracted in go.mod.

The content for v1.2.16 is left below for reference:

v1.2.16 12 Jan 2022

  THIS VERSION HAS BEEN RETRACTED. PLEASE USE v1.2.17

[Bug Fixes]
  * Peviously, `jws.Sign()` could not create a signed payload with
    detached and unencoded payload, even when the documentation said it could.
    Now you may use the `jws.Sign()` in the following way to create
    a JWS message with detached, unencoded state:

       hdrs := jws.NewHeaders()
       hdrs.Set("b64", false)
       hdrs.Set("crit", "b64")
       jws.Sign(nil, alg, key, jws.WithDetachedPayload(payload), jws.WithHeaders(hdrs))

    Notice the use of `nil` for the first parameter, and the use of
    `jws.WithDetachedPayload()`.

    We realize this is not exactly a clean API, but this is currently the
    only way to implement this in a backward-compatible fashion. Most likely
    this will change in a future major version.
[Miscellaneous]
  * `jws.WithDetachedPayload()` is now of type `jws.SignVerifyOption`, which
    satisfies both `jws.SignOption` and `jws.VerifyOption`

v1.2.16

Choose a tag to compare

@lestrrat lestrrat released this 12 Jan 05:30
v1.2.16 12 Jan 2022
[Bug Fixes]
  * Peviously, `jws.Sign()` could not create a signed payload with
    detached and unencoded payload, even when the documentation said it could.
    Now you may use the `jws.Sign()` in the following way to create
    a JWS message with detached, unencoded state:

       hdrs := jws.NewHeaders()
       hdrs.Set("b64", false)
       hdrs.Set("crit", "b64")
       jws.Sign(nil, alg, key, jws.WithDetachedPayload(payload), jws.WithHeaders(hdrs))

    Notice the use of `nil` for the first parameter, and the use of
    `jws.WithDetachedPayload()`.

    We realize this is not exactly a clean API, but this is currently the
    only way to implement this in a backward-compatible fashion. Most likely
    this will change in a future major version.
[Miscellaneous]
  * `jws.WithDetachedPayload()` is now of type `jws.SignVerifyOption`, which
    satisfies both `jws.SignOption` and `jws.VerifyOption

v1.2.15

Choose a tag to compare

@lestrrat lestrrat released this 06 Jan 23:31
v1.2.15 07 Jan 2022
[New Features]
  * `(jwk.AutoRefresh).Remove()` has been implemented.
[Bug Fixes]
  * ES256K is now included in the list of JWS inferred algorithms, if it's
    enabled via -tags jwx_es256k
[Miscellaneous]
  * `jwt.Parse` has been improved for efficiency and has more tests to
    cover corner cases.
  * Documentation fixes

v1.2.14

Choose a tag to compare

@lestrrat lestrrat released this 22 Dec 01:36
v1.2.14 22 Dec 2021
[New Features]
  * `jwk.Fetch()` and `(*jwk.AutoRefresh).Configure()` can now take `jwk.Whitelist`
    object to check for the validity of a url to be fetched
  * `jws.VerifyAuto()` has been added to verify payloads that can be verified
    using the JWK set provided in the "jku" field. This function is purposely
    separated from the `jws.Verify()` function because 1) the required parameters
    are different, and 2) Users MUST be aware that they are doing a totally
    different operation than a regular `jws.Verify()`
  * `(jwk.AutoRefresh).IsRegistered()` has been added.

[Bug fixes]
  * `jws.SignMulti()` has been fixed to assign the "kid" field of the key used
    for signing the payload
  * `jws.SignMulti()` has been fixed to respect the "kid" field of the protected
    header, not the public header

v1.2.13

Choose a tag to compare

@lestrrat lestrrat released this 07 Dec 03:01
v1.2.13 07 Dec 2021
[New Features]
  * `jwt` package now has a `Builder` that may make it easier to programmatically
    create a JWT for some users.
  * `jwt` errors now can be distinguished between validation errors and others.
    Use `jwt.IsValidationError()` to check if it's a validation error, and then
    use `errors.Is()` to check if it's one of the known (oft-used) errors

v1.2.12

Choose a tag to compare

@lestrrat lestrrat released this 01 Dec 06:53
v1.2.12 01 Dec 2021
[New Features]
  * `jwk.Set` can now parse private parameters. For example, after parsing
    a JWKS serialized as `{"foo": "bar", "keys": [...]}`, users can get to
    the value of `"foo"` by calling `set.Field("foo")`
  * `jwk.Set` now has `Set()` method to set field values.

v1.2.11

Choose a tag to compare

@lestrrat lestrrat released this 13 Nov 15:35
v1.2.11 14 Nov 2021
[Security Fix]
  * It was reported that since v1.2.6, it was possible to craft
    a special JSON object to bypass JWT verification via `jwt.Parse`.
    If you relied on this module to perform all the verification,
    upgrade is strongly recommended.

v1.2.10

Choose a tag to compare

@lestrrat lestrrat released this 09 Nov 09:17
v1.2.10 09 Nov 2021
[Bug fixes]
  * Parsing OpenID claims were not working for some fields.
    This was caused by the same problem as the problem fixed in v1.2.9.
    Proper tests have been added.

v1.2.9

Choose a tag to compare

@lestrrat lestrrat released this 26 Oct 01:02
v1.2.9 26 Oct 2021
[Bug fixes]
  * Parsing `key_ops` for JWKs which was broken in v1.2.8 has been fixed.

v1.2.8

Choose a tag to compare

@lestrrat lestrrat released this 21 Oct 01:24
v1.2.8 21 Oct 2021
[Miscellaneous]
  * `jws.Message`, `jws.Signature`, `jws.Headers` have been reworked
    to allow JSON messages to be verified correctly. The problem can
    be caused when protected headers are serialized one way (perhaps
    `{"c":3","a":1,"b":2}` was used before being base64-encoded) but
    the Go serialization differed from it (Go serializes in alphabetical
    order: `{"a":1,"b":2,"c":3}`)

    Messages serialized in compact form do NOT suffer from the
    same problem.

    This is close to fixes that went in v1.2.2. It boils down to the
    fact that once deserialized, the JWS messages lose part of its
    information (namely, the raw, original protected header value),
    and neither users nor the developers of this library should
    rely on it.

  * Code generation has be refactored. The main go.mod should now
    have slightly less dependencies.