v1.2.11

v1.2.11 14 Nov 2021
[Security Fix]
  * It was reported that since v1.2.6, it was possible to craft
    a special JSON object to bypass JWT verification via `jwt.Parse`.
    If you relied on this module to perform all the verification,
    upgrade is strongly recommended.

v1.2.10

v1.2.10 09 Nov 2021
[Bug fixes]
  * Parsing OpenID claims were not working for some fields.
    This was caused by the same problem as the problem fixed in v1.2.9.
    Proper tests have been added.

v1.2.9

v1.2.9 26 Oct 2021
[Bug fixes]
  * Parsing `key_ops` for JWKs which was broken in v1.2.8 has been fixed.

v1.2.8

v1.2.8 21 Oct 2021
[Miscellaneous]
  * `jws.Message`, `jws.Signature`, `jws.Headers` have been reworked
    to allow JSON messages to be verified correctly. The problem can
    be caused when protected headers are serialized one way (perhaps
    `{"c":3","a":1,"b":2}` was used before being base64-encoded) but
    the Go serialization differed from it (Go serializes in alphabetical
    order: `{"a":1,"b":2,"c":3}`)

    Messages serialized in compact form do NOT suffer from the
    same problem.

    This is close to fixes that went in v1.2.2. It boils down to the
    fact that once deserialized, the JWS messages lose part of its
    information (namely, the raw, original protected header value),
    and neither users nor the developers of this library should
    rely on it.

  * Code generation has be refactored. The main go.mod should now
    have slightly less dependencies.

v1.2.7

Lots of usability improvements around jwt.Parse() and jwt.Validate() !

v1.2.7 26 Sep 2021
[New features]
  * `jwt.InferAlgorithmFromKey()` option is now available to "guess"
    the algorithm used to verify the JWS signature on a JWT using
    a JWKS (key set). This allows you to match JWKs that do not have
    the `alg` field populated.

    We understand that some providers do not provide the `alg` field,
    which is a nuisance to users. But from a purely security minded PoV,
    we don't think that this "try until something works" approach is a
    good one, even if there are no known exploits. This is why the
    default `jwt.Parse` mechanism is unchanged, and an explicit option
    has been added.

  * Types `jwt.KeySetProvider` and `jwk.KeySetProviderFunc` have been
    added. Along with `jwt.WithKeySetProvider()` option, `jwt.Parse`
    can now choose the `jwk.Set` to use for signature verification
    dynamically using the UNVERFIEID token as a clue.

    You should NOT trust the token information too much. For example,
    DO NOT directly use values from the token as verificatin parameters
    (such as the signature algorithm)

  * `jwt.WithValidator()` has been added to allow users pass in aribtrary
    validation code to the `jwt.Validate()` method.

    It is also now possible to pass in a `context.Context` object to
    `jwt.Validate()` using `jwt.WithContext()` option.

v1.2.6

v1.2.6 24 Aug 2021
[New features]
  * Support `crypto.Signer` keys for RSA, ECDSA, and EdDSA family
    of signatures in `jws.Sign`
[Miscellaneous]
  * `jwx.GuessFormat()` now requires the presense of both `payload` and
    `signatures` keys for it to guess that a JSON object is a JWS message.
  * Slightly enhance `jwt.Parse()` performance.

v1.2.5

v1.2.5 04 Aug 2021
[New features]
  * Implement RFC7797. The value of the header field `b64` changes
    how the payload is treated in JWS
  * Implement detached payloads for JWS
  * Implement (jwk.AutoRefresh).ErrorSink() to register a channel
    where you can receive errors from fetches and parses that occur during
    JWK(s) retrieval.

v1.2.4

v1.2.4 15 Jul 2021
[Bug fixes]
  * We had the same off-by-one in another place and jumped the gun on
    releasing a new version. At least we were making mistakes uniformally :/
    `(jwk.Set).Remove` should finally be fixed.

[New features]
  * `(jwk.Set).Clone()` has been added.

v1.2.3

v1.2.3 15 Jul 2021
[Buf fixes]
  * jwk.Set incorrectly removed 2 elements instead of one.

[Miscellaneous]
  * github.com/goccy/go-json has been upgraded to v0.7.4

v1.2.2

v1.2.2 13 Jul 2021
[Deprecation notice]
  * `(jwe.Message).Decrypt()` will be removed from the API upon the next
    major release.

[Bug Fixes]
  * `jwe.Decrypt` and `(jwe.Message).Decrypt()` failed to decrypt even
    with the correct message contents when used along with `jwe.RegisterCustomField`

[New features]
  JWX
  * Add GuessFormat() function to guess what the payload is.

  JWT
  * Options `jwt.WithMinDelta()`, `jwt.WithMaxDelta()` have been added.
    These can be used to compare time-based fields in the JWT object.
  * Option `jwt.WithRequiredClaim()` has been added. This can be used
    to check that JWT contains the given claim.
  * `jwt.Parse` now understands payloads that have been encrypted _and_ signed.
    This is more in line with the RFC than the previous implementation, but
    due to the fact that it requires a couple of extra unmarshaling, it may
    add some amount of overhead.
  * `jwt.Serializer` has been added as an easy wrapper to perform multiple
     levels of serializations (e.g. apply JWS, then JWE)

  JWE
  * Option `jwe.WithMessage()` has been added. This allows the user to
    obtain both the decrypted payload _and_ the raw `*jwe.Message` in one
    go when `jwe.Decrypt()` is called
  * Option `jwe.WithPostParser()`, along with `jwe.PostParser` and `jwe.PostParseFunc`
    has been added. This allows advanced users to hook into the `jwe.Decrypt()`
    process. The hook is called right after the JWE message has been parsed,
    but before the actual decryption has taken place.
  * `(jwe.Message).Decrypt()` has been marked for deprecation in a next major release.

  JWS
  * Option `jwe.WithMessage()` has been added. This allows the user to
    obtain both the verified payload _and_ the raw `*jws.Message` in one
    go when `jws.Verify()` is called
  * Options to `jws.Sign()` are not of type `jws.SignOption`. There should be
    no user-visible effects unless you were storing these somewhere.