Releases: lestrrat-go/jwx
Releases · lestrrat-go/jwx
v1.2.6
v1.2.6 24 Aug 2021
[New features]
* Support `crypto.Signer` keys for RSA, ECDSA, and EdDSA family
of signatures in `jws.Sign`
[Miscellaneous]
* `jwx.GuessFormat()` now requires the presense of both `payload` and
`signatures` keys for it to guess that a JSON object is a JWS message.
* Slightly enhance `jwt.Parse()` performance.
v1.2.5
v1.2.5 04 Aug 2021
[New features]
* Implement RFC7797. The value of the header field `b64` changes
how the payload is treated in JWS
* Implement detached payloads for JWS
* Implement (jwk.AutoRefresh).ErrorSink() to register a channel
where you can receive errors from fetches and parses that occur during
JWK(s) retrieval.
v1.2.4
v1.2.4 15 Jul 2021
[Bug fixes]
* We had the same off-by-one in another place and jumped the gun on
releasing a new version. At least we were making mistakes uniformally :/
`(jwk.Set).Remove` should finally be fixed.
[New features]
* `(jwk.Set).Clone()` has been added.
v1.2.3
v1.2.2
v1.2.2 13 Jul 2021
[Deprecation notice]
* `(jwe.Message).Decrypt()` will be removed from the API upon the next
major release.
[Bug Fixes]
* `jwe.Decrypt` and `(jwe.Message).Decrypt()` failed to decrypt even
with the correct message contents when used along with `jwe.RegisterCustomField`
[New features]
JWX
* Add GuessFormat() function to guess what the payload is.
JWT
* Options `jwt.WithMinDelta()`, `jwt.WithMaxDelta()` have been added.
These can be used to compare time-based fields in the JWT object.
* Option `jwt.WithRequiredClaim()` has been added. This can be used
to check that JWT contains the given claim.
* `jwt.Parse` now understands payloads that have been encrypted _and_ signed.
This is more in line with the RFC than the previous implementation, but
due to the fact that it requires a couple of extra unmarshaling, it may
add some amount of overhead.
* `jwt.Serializer` has been added as an easy wrapper to perform multiple
levels of serializations (e.g. apply JWS, then JWE)
JWE
* Option `jwe.WithMessage()` has been added. This allows the user to
obtain both the decrypted payload _and_ the raw `*jwe.Message` in one
go when `jwe.Decrypt()` is called
* Option `jwe.WithPostParser()`, along with `jwe.PostParser` and `jwe.PostParseFunc`
has been added. This allows advanced users to hook into the `jwe.Decrypt()`
process. The hook is called right after the JWE message has been parsed,
but before the actual decryption has taken place.
* `(jwe.Message).Decrypt()` has been marked for deprecation in a next major release.
JWS
* Option `jwe.WithMessage()` has been added. This allows the user to
obtain both the verified payload _and_ the raw `*jws.Message` in one
go when `jws.Verify()` is called
* Options to `jws.Sign()` are not of type `jws.SignOption`. There should be
no user-visible effects unless you were storing these somewhere.
v1.2.1
v1.2.1 02 Jun 2021
[New features]
* Option `jwt.WithTypedClaim()` and `jwk.WithTypedField()` have been added.
They allow a per-object custom conversion from their JSON representation
to a Go object, much like `RegisterCustomField`.
The difference is that whereas `RegisterCustomField` has global effect,
these typed fields only take effect in the call where the option was
explicitly passed.
`jws` and `jwe` does not have these options because
(1) JWS and JWE messages don't generally carry much in terms of custom data
(2) This requires changes in function signatures.
Only use these options when you absolutely need to. While it is a powerful
tool, they do have many caveats, and abusing these features will have
negative effects. See the documentation for details
v1.2.0
This is a security fix release with minor incompatibilities from earlier version
with regards to the behavior of `jwt.Verify()` function
[Security Fix]
* `jwt.Verify()` had improperly used the `"alg"` header from the JWS message
when `jwt.WithKeySet()` option was used (potentially allowing exploits
described in https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/.
This has been fixed by ONLY trusting the keys that you provide and
using the `"alg"` header from the keys themselves. (#375, #381)
As a side effect, `jwt.WithKeySet()` requires that all applicable keys
to contain a valid `"alg"` header. Without this we cannot safely choose a key to use,
and hence verification will fail.
The requirement for the `"alg"` header on keys is an INCOMPATIBLE behavior.
This may break existing code, if the key does not already have an `"alg"` header.
[New features]
* `jwt.Settings()` and `jwt.WithFlattenAudience(bool)` has been added
to control how the "aud" claim is serialized into JSON. When this
is enabled, all JWTs with a single "aud" claim will serialize
the field as a single string, instead of an array of strings with
a single element, i.e.:
// jwt.WithFlattenAudience(true)
{"aud": "foo"}
// jwt.WithFlattenAudience(false)
{"aud": ["foo"]}
This setting has a global effect.
[Bug fixes]
* jwt.Validate now returns true if the value in `nbf` field is exactly
the same as what the clock returns (e.g. token.nbf == time.Now())
v1.1.7
v1.1.7 2 Apr 2021
[New features]
* `jwk.New` `jwk.Parse`, `jwk.ParseKey` can now take a Certificate in
ASN.1 DER format in PEM encoding to create a JWK.
[Bug fixes]
* Protect `jwk.New()` from invalid RSA/ECDSA keys (#360, #361)
[Miscellaneous]
* Removed "internal/blackmagic" and separated it to its own repository.
* Removed unused "marshal proxy" objects in jwt
* Added FAQ in `jwt` package
v1.1.6
v1.1.6 28 Mar 2021
[Bug fixes]
* When an object (e.g. JWT) has a null value and `AsMap()` is called,
`github.com/lestrrat-go/iter` would panic.
This should be fixed in `github.com/lestrrat-go/iter@v1.0.1` and
the dependency has been updated accordingly
[Miscellaneous]
* Added How-to style docs under `docs/`
* github.com/goccy/go-json dependency has been updated to v0.4.8
v1.1.5
v1.1.5 12 Mar 2021
This is a security fix release. The JWT validation could be skipped
for empty values. Upgrade recommended
[Security Fix]
* JWT validation could be skipped for empty fields (#352).
[Bug fixes]
* Allow setting JWT "typ" fields to any value (#351).
* Remove stray replace directive in cmd/jwx/go.mod (#349)