Skip to content
This repository has been archived by the owner on Dec 5, 2022. It is now read-only.

exchange jwt library #95

Closed
wants to merge 2 commits into from
Closed

exchange jwt library #95

wants to merge 2 commits into from

Conversation

livio-a
Copy link

@livio-a livio-a commented Aug 9, 2021

dgrijalva/jwt-go is no longer maintained: dgrijalva/jwt-go#462
this PR exchanges dgrijalva/jwt-go (3.2.0) with github.com/golang-jwt/jwt (3.2.2)

@livio-a
Copy link
Author

livio-a commented Sep 23, 2021

I updated now to version 4.0.0 (first official version with go mod support)

Is there anything i can do to speed this up?

Although this library does not seam to be directly affected, IMO it shouldn't rely on a not actively maintained jwt-library with a high security CVE.

relates #86

@HaBaLeS
Copy link
Contributor

HaBaLeS commented Oct 23, 2021

ups .. just created the same PR #101 ... sad that Duo-Labs does not care 👎

@arianvp
Copy link

arianvp commented Oct 27, 2021

We could perhaps create a community fork where we can get some of these PRs merged. I agree it's not ideal.

OTOH The software is provided AS IS so we can't really expect anything from Duo-labs if they don't want to actively maintain it. So no hard feelings. But would be nice if they can communicate this. I can also understand that people might have shifted priorities, lost interest, or got burnt out. It happens. and is OK.

@aseigler
Copy link
Contributor

We could perhaps create a community fork where we can get some of these PRs merged. I agree it's not ideal.

OTOH The software is provided AS IS so we can't really expect anything from Duo-labs if they don't want to actively maintain it. So no hard feelings. But would be nice if they can communicate this. I can also understand that people might have shifted priorities, lost interest, or got burnt out. It happens. and is OK.

I think a large part of the issue is that most/all of the original folks that were maintaining this as a side project have moved on from Duo.

@livio-a
Copy link
Author

livio-a commented Oct 27, 2021

@arianvp I totally agree. It's provided AS IS but a clear communication would have been nice.
It's also completely understandable that this did not happen, given what @aseigler writes.

As we (CAOS Ltd.) rely heavily on WebAuthN (and Golang) for our IAM product ZITADEL, we are interested in an actively maintained library.
So if others would be interested in a community fork, I'm in and some of my colleagues for sure are too.

@arianvp
Copy link

arianvp commented Nov 9, 2021

I'd be happy if a fork of this library was created inside the caos org! sounds like a good plan.

P.S. I started on a minimal webauthn implementation with no external dependencies: https://github.com/arianvp/webauthn-minimal but it's purposefully less featureful than this library. And only targets the latest version of the spec. It is under 300 lines of code so more easily auditable for correctness hopefully.

unrealperson666 referenced this pull request Dec 4, 2021
* Moved COSE related things to their own package

* move assertion to cose verify

* Server-ServerPublicKeyCredentialCreationOptions-Req-1

* Update login.go

* Fix packed attestation signature verification and added ServerResponse structure

* Conformance testing fixes for MakeCredential

* Conformance tests nearly complete

* Initial metadata layout

* Metadata progress

* Further progress on metadata

* Resolving conflict

* Production and conformance metadata now load

* Move SafetyNet to jwt-go and add sanity check for timestamp

* Certificate checks on metadata TOC

* Restrict timestamp check in safetynet to conformance only

* Don't return safetynet x5c

* Metadata (#1)

* Moved COSE related things to their own package

* move assertion to cose verify

* Server-ServerPublicKeyCredentialCreationOptions-Req-1

* Update login.go

* Fix packed attestation signature verification and added ServerResponse structure

* Conformance testing fixes for MakeCredential

* Conformance tests nearly complete

* Initial metadata layout

* Metadata progress

* Further progress on metadata

* Resolving conflict

* Production and conformance metadata now load

* Move SafetyNet to jwt-go and add sanity check for timestamp

* Certificate checks on metadata TOC

* Restrict timestamp check in safetynet to conformance only

* Don't return safetynet x5c

* SafetyNet timestamp check

* Added metadata tests

* Update metadata tests
@MasterKale
Copy link
Collaborator

Superseded by #101 (which upgrades the JWT lib to a more recent version)

@MasterKale MasterKale closed this Dec 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants