feat(deps): update go-jose to v4 (#588)

This change updates to go-jose v4, which was a new major release. jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible. For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors. Closes #583
2024-04-11 18:13:30 +03:00 · 2024-04-11 18:13:30 +03:00 · 33f8df7eb2
commit 33f8df7eb2
parent 06f37f84c1
33 changed files with 58 additions and 74 deletions
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"

-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/crypto"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
--- a/pkg/client/profile/jwt_profile.go
+++ b/pkg/client/profile/jwt_profile.go
@ -5,7 +5,7 @@ import (
 	"net/http"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"golang.org/x/oauth2"

 	"github.com/zitadel/oidc/v3/pkg/client"
--- a/pkg/client/rp/jwks.go
+++ b/pkg/client/rp/jwks.go
@ -7,7 +7,7 @@ import (
 	"net/http"
 	"sync"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	"github.com/zitadel/oidc/v3/pkg/client"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@ -9,7 +9,7 @@ import (
 	"net/url"
 	"time"

-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/google/uuid"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
--- a/pkg/client/rp/verifier.go
+++ b/pkg/client/rp/verifier.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	"github.com/zitadel/oidc/v3/pkg/client"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
--- a/pkg/client/rp/verifier_test.go
+++ b/pkg/client/rp/verifier_test.go
@ -5,7 +5,7 @@ import (
 	"testing"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	tu "github.com/zitadel/oidc/v3/internal/testutil"
--- a/pkg/client/tokenexchange/tokenexchange.go
+++ b/pkg/client/tokenexchange/tokenexchange.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/zitadel/oidc/v3/pkg/client"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
--- a/pkg/crypto/hash.go
+++ b/pkg/crypto/hash.go
@ -8,7 +8,7 @@ import (
 	"fmt"
 	"hash"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 var ErrUnsupportedAlgorithm = errors.New("unsupported signing algorithm")
--- a/pkg/crypto/sign.go
+++ b/pkg/crypto/sign.go
@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"errors"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 func Sign(object any, signer jose.Signer) (string, error) {
--- a/pkg/oidc/keyset.go
+++ b/pkg/oidc/keyset.go
@ -7,7 +7,7 @@ import (
 	"crypto/rsa"
 	"errors"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 const (
--- a/pkg/oidc/keyset_test.go
+++ b/pkg/oidc/keyset_test.go
@ -7,7 +7,7 @@ import (
 	"reflect"
 	"testing"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 func TestFindKey(t *testing.T) {
--- a/pkg/oidc/token.go
+++ b/pkg/oidc/token.go
@ -5,7 +5,7 @@ import (
 	"os"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"golang.org/x/oauth2"

 	"github.com/muhlemmer/gu"
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@ -6,7 +6,7 @@ import (
 	"slices"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 const (
--- a/pkg/oidc/token_test.go
+++ b/pkg/oidc/token_test.go
@ -4,7 +4,7 @@ import (
 	"testing"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/text/language"
 )
--- a/pkg/oidc/types.go
+++ b/pkg/oidc/types.go
@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/muhlemmer/gu"
 	"github.com/zitadel/schema"
 	"golang.org/x/text/language"
--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	str "github.com/zitadel/oidc/v3/pkg/strings"
 )
@ -148,8 +148,13 @@ func CheckAuthorizedParty(claims Claims, clientID string) error {
 }

 func CheckSignature(ctx context.Context, token string, payload []byte, claims ClaimsSignature, supportedSigAlgs []string, set KeySet) error {
-	jws, err := jose.ParseSigned(token)
+	jws, err := jose.ParseSigned(token, toJoseSignatureAlgorithms(supportedSigAlgs))
 	if err != nil {
+		if strings.HasPrefix(err.Error(), "go-jose/go-jose: unexpected signature algorithm") {
+			// TODO(v4): we should wrap errors instead of returning static ones.
+			// This is a workaround so we keep returning the same error for now.
+			return ErrSignatureUnsupportedAlg
+		}
 		return ErrParse
 	}
 	if len(jws.Signatures) == 0 {
@ -159,12 +164,6 @@ func CheckSignature(ctx context.Context, token string, payload []byte, claims Cl
 		return ErrSignatureMultiple
 	}
 	sig := jws.Signatures[0]
-	if len(supportedSigAlgs) == 0 {
-		supportedSigAlgs = []string{"RS256"}
-	}
-	if !str.Contains(supportedSigAlgs, sig.Header.Algorithm) {
-		return fmt.Errorf("%w: id token signed with unsupported algorithm, expected %q got %q", ErrSignatureUnsupportedAlg, supportedSigAlgs, sig.Header.Algorithm)
-	}

 	signedPayload, err := set.VerifySignature(ctx, jws)
 	if err != nil {
@ -180,6 +179,18 @@ func CheckSignature(ctx context.Context, token string, payload []byte, claims Cl
 	return nil
 }

+// TODO(v4): Use the new jose.SignatureAlgorithm type directly, instead of string.
+func toJoseSignatureAlgorithms(algorithms []string) []jose.SignatureAlgorithm {
+	out := make([]jose.SignatureAlgorithm, len(algorithms))
+	for i := range algorithms {
+		out[i] = jose.SignatureAlgorithm(algorithms[i])
+	}
+	if len(out) == 0 {
+		out = append(out, jose.RS256)
+	}
+	return out
+}
+
 func CheckExpiration(claims Claims, offset time.Duration) error {
 	expiration := claims.GetExpiration()
 	if !time.Now().Add(offset).Before(expiration) {
--- a/pkg/op/discovery.go
+++ b/pkg/op/discovery.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net/http"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
--- a/pkg/op/discovery_test.go
+++ b/pkg/op/discovery_test.go
@ -6,7 +6,7 @@ import (
 	"net/http/httptest"
 	"testing"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
--- a/pkg/op/keys.go
+++ b/pkg/op/keys.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net/http"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 )
--- a/pkg/op/keys_test.go
+++ b/pkg/op/keys_test.go
@ -7,7 +7,7 @@ import (
 	"net/http/httptest"
 	"testing"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"

--- a/pkg/op/mock/authorizer.mock.impl.go
+++ b/pkg/op/mock/authorizer.mock.impl.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"testing"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/golang/mock/gomock"
 	"github.com/zitadel/schema"

--- a/pkg/op/mock/discovery.mock.go
+++ b/pkg/op/mock/discovery.mock.go
@ -8,7 +8,7 @@ import (
 	context "context"
 	reflect "reflect"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	gomock "github.com/golang/mock/gomock"
 )

--- a/pkg/op/mock/signer.mock.go
+++ b/pkg/op/mock/signer.mock.go
@ -7,7 +7,7 @@ package mock
 import (
 	reflect "reflect"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	gomock "github.com/golang/mock/gomock"
 )

--- a/pkg/op/mock/storage.mock.go
+++ b/pkg/op/mock/storage.mock.go
@ -9,7 +9,7 @@ import (
 	reflect "reflect"
 	time "time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	gomock "github.com/golang/mock/gomock"
 	oidc "github.com/zitadel/oidc/v3/pkg/oidc"
 	op "github.com/zitadel/oidc/v3/pkg/op"
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/go-chi/chi/v5"
-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 	"github.com/rs/cors"
 	"github.com/zitadel/schema"
 	"go.opentelemetry.io/otel"
--- a/pkg/op/signer.go
+++ b/pkg/op/signer.go
@ -3,7 +3,7 @@ package op
 import (
 	"errors"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"
 )

 var ErrSignerCreationFailed = errors.New("signer creation failed")
--- a/pkg/op/storage.go
+++ b/pkg/op/storage.go
@ -5,7 +5,7 @@ import (
 	"errors"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	"github.com/zitadel/oidc/v3/pkg/oidc"
 )
--- a/pkg/op/verifier_jwt_profile.go
+++ b/pkg/op/verifier_jwt_profile.go
@ -6,7 +6,7 @@ import (
 	"fmt"
 	"time"

-	jose "github.com/go-jose/go-jose/v3"
+	jose "github.com/go-jose/go-jose/v4"

 	"github.com/zitadel/oidc/v3/pkg/oidc"
 )