chore(deps): Updated jwt and go-jose (#50)

* chore(deps): Updated jwt and go-jose

* chore: Ran go mod tidy

Author: kvanzuijlen

encryption.go

@@ -10,8 +10,10 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"time"
+
 	"github.com/go-jose/go-jose/v3"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 const (
@@ -151,7 +153,7 @@ func (k *Keypair) SignJWT(claims jwt.Claims) (string, error) {
 }
 
 // VerifyJWT verifies the signature of a token was signed with this Keypair
-func (k *Keypair) VerifyJWT(token string) (*jwt.Token, error) {
+func (k *Keypair) VerifyJWT(token string, nowFunc func() time.Time) (*jwt.Token, error) {
 	return jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
 		kid, err := k.KeyID()
 		if err != nil {
@@ -161,7 +163,7 @@ func (k *Keypair) VerifyJWT(token string) (*jwt.Token, error) {
 			return k.PublicKey, nil
 		}
 		return nil, errors.New("token kid does not match or is not present")
-	})
+	}, jwt.WithTimeFunc(nowFunc))
 }
 
 func randomNonce(length int) (string, error) {

encryption_test.go

@@ -7,25 +7,26 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/oauth2-proxy/mockoidc"
 	"github.com/stretchr/testify/assert"
 )
 
+var audience = jwt.ClaimStrings{"mockoidc"}
+
 const (
-	audience   = "mockoidc"
 	issuer     = "https://github.com/oauth2-proxy/mockoidc/"
 	defaultKid = "dHXTSCyouq6DiWaQwlXtNP54-C75mw3IcoYkERfl3fQ"
 )
 
 var (
-	standardClaims = &jwt.StandardClaims{
+	registeredClaims = &jwt.RegisteredClaims{
 		Audience:  audience,
-		ExpiresAt: time.Now().Add(time.Duration(1) * time.Hour).Unix(),
-		Id:        "0123456789abcdef",
-		IssuedAt:  time.Now().Unix(),
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(1) * time.Hour)),
+		ID:        "0123456789abcdef",
+		IssuedAt:  jwt.NewNumericDate(time.Now()),
 		Issuer:    issuer,
-		NotBefore: 0,
+		NotBefore: jwt.NewNumericDate(time.Time{}),
 		Subject:   "123456789",
 	}
 )
@@ -60,31 +61,33 @@ func TestKeypair_SignJWTVerifyJWT(t *testing.T) {
 
 			assert.NotEqual(t, alice.PrivateKey.N, bob.PrivateKey.N)
 
-			tokenStr, err := alice.SignJWT(standardClaims)
+			tokenStr, err := alice.SignJWT(registeredClaims)
 			assert.NoError(t, err)
 
-			_, err = bob.VerifyJWT(tokenStr)
+			_, err = bob.VerifyJWT(tokenStr, mockoidc.NowFunc)
 			assert.Error(t, err)
 
-			token, err := alice.VerifyJWT(tokenStr)
+			token, err := alice.VerifyJWT(tokenStr, mockoidc.NowFunc)
 			assert.NoError(t, err)
 			assert.True(t, token.Valid)
 
 			claims, ok := token.Claims.(jwt.MapClaims)
 			assert.True(t, ok)
-			assert.Equal(t, audience, claims["aud"])
+			claimAudience, err := claims.GetAudience()
+			assert.NoError(t, err)
+			assert.Equal(t, audience, claimAudience)
 			assert.Equal(t, issuer, claims["iss"])
 
 			alice.Kid = "WRONG"
-			_, err = alice.VerifyJWT(tokenStr)
+			_, err = alice.VerifyJWT(tokenStr, mockoidc.NowFunc)
 			assert.Error(t, err)
 
 			const customKid = "USER_DEFINED"
 			bob.Kid = customKid
-			kidTokenStr, err := bob.SignJWT(standardClaims)
+			kidTokenStr, err := bob.SignJWT(registeredClaims)
 			assert.NoError(t, err)
 
-			kidToken, err := bob.VerifyJWT(kidTokenStr)
+			kidToken, err := bob.VerifyJWT(kidTokenStr, mockoidc.NowFunc)
 			assert.NoError(t, err)
 			assert.Equal(t, customKid, kidToken.Header["kid"])
 		})

go.mod

@@ -1,11 +1,17 @@
 module github.com/oauth2-proxy/mockoidc
 
-go 1.16
+go 1.21
 
 require (
 	github.com/go-jose/go-jose/v3 v3.0.1
-	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/google/go-cmp v0.5.4 // indirect
-	github.com/stretchr/testify v1.7.0
+	github.com/golang-jwt/jwt/v5 v5.2.0
+	github.com/stretchr/testify v1.8.4
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,35 +1,30 @@
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
 github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

handlers.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 const (
@@ -403,7 +403,7 @@ func (m *MockOIDC) authorizeBearer(rw http.ResponseWriter, req *http.Request) (*
 }
 
 func (m *MockOIDC) authorizeToken(t string, rw http.ResponseWriter) (*jwt.Token, bool) {
-	token, err := m.Keypair.VerifyJWT(t)
+	token, err := m.Keypair.VerifyJWT(t, m.Now)
 	if err != nil {
 		errorResponse(rw, InvalidRequest, fmt.Sprintf("Invalid token: %v", err), http.StatusUnauthorized)
 		return nil, false

handlers_test.go

@@ -133,7 +133,7 @@ func TestMockOIDC_Token_CodeGrant(t *testing.T) {
 		"id_token",
 	} {
 		t.Run(key, func(t *testing.T) {
-			_, err := m.Keypair.VerifyJWT(tokenResp[key].(string))
+			_, err := m.Keypair.VerifyJWT(tokenResp[key].(string), m.Now)
 			assert.NoError(t, err)
 		})
 	}
@@ -279,7 +279,7 @@ func TestMockOIDC_Token_RefreshGrant(t *testing.T) {
 		"id_token",
 	} {
 		t.Run(key, func(t *testing.T) {
-			_, err := m.Keypair.VerifyJWT(tokenResp[key].(string))
+			_, err := m.Keypair.VerifyJWT(tokenResp[key].(string), m.Now)
 			assert.NoError(t, err)
 		})
 	}

mockoidc.go

@@ -9,8 +9,6 @@ import (
 	"net"
 	"net/http"
 	"time"
-
-	"github.com/golang-jwt/jwt"
 )
 
 // NowFunc is an overrideable version of `time.Now`. Tests that need to
@@ -195,19 +193,6 @@ func (m *MockOIDC) Now() time.Time {
 	return NowFunc().Add(m.fastForward)
 }
 
-// TimeReset is a function that resets time
-type TimeReset func()
-
-// Synchronize sets the jwt.TimeFunc to our mutated view of time.
-// It returns a func that can reset it to its original state.
-func (m *MockOIDC) Synchronize() TimeReset {
-	original := jwt.TimeFunc
-
-	jwt.TimeFunc = m.Now
-
-	return func() { jwt.TimeFunc = original }
-}
-
 // Addr returns the server address (if started)
 func (m *MockOIDC) Addr() string {
 	if m.Server == nil {

mockoidc_test.go

@@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/oauth2-proxy/mockoidc"
 	"github.com/stretchr/testify/assert"
 )
@@ -33,10 +33,6 @@ func TestRun(t *testing.T) {
 	assert.NoError(t, err)
 	defer m.Shutdown()
 
-	// Override jwt.TimeFunc with our timer
-	reset := m.Synchronize()
-	defer reset()
-
 	// ************************************************************************
 	// Stage 0: Get Discovery documents
 	// ************************************************************************
@@ -122,11 +118,11 @@ func TestRun(t *testing.T) {
 	err = json.Unmarshal(body, &tokens)
 	assert.NoError(t, err)
 
-	_, err = m.Keypair.VerifyJWT(tokens["access_token"].(string))
+	_, err = m.Keypair.VerifyJWT(tokens["access_token"].(string), m.Now)
 	assert.NoError(t, err)
-	_, err = m.Keypair.VerifyJWT(tokens["refresh_token"].(string))
+	_, err = m.Keypair.VerifyJWT(tokens["refresh_token"].(string), m.Now)
 	assert.NoError(t, err)
-	idToken, err := m.Keypair.VerifyJWT(tokens["id_token"].(string))
+	idToken, err := m.Keypair.VerifyJWT(tokens["id_token"].(string), m.Now)
 	assert.NoError(t, err)
 
 	// The nonce we set initially is in our ID Token
@@ -184,11 +180,11 @@ func TestRun(t *testing.T) {
 	err = json.Unmarshal(refreshBody, &refreshedTokens)
 	assert.NoError(t, err)
 
-	_, err = m.Keypair.VerifyJWT(refreshedTokens["access_token"].(string))
+	_, err = m.Keypair.VerifyJWT(refreshedTokens["access_token"].(string), m.Now)
 	assert.NoError(t, err)
-	_, err = m.Keypair.VerifyJWT(refreshedTokens["refresh_token"].(string))
+	_, err = m.Keypair.VerifyJWT(refreshedTokens["refresh_token"].(string), m.Now)
 	assert.NoError(t, err)
-	refreshedIDToken, err := m.Keypair.VerifyJWT(refreshedTokens["id_token"].(string))
+	refreshedIDToken, err := m.Keypair.VerifyJWT(refreshedTokens["id_token"].(string), m.Now)
 	assert.NoError(t, err)
 
 	// The nonce we set initially is STILL in our ID Token
@@ -366,12 +362,12 @@ func setTime() {
 	mockoidc.NowFunc = func() time.Time {
 		return time.Unix(TestNow, 0)
 	}
-	jwt.TimeFunc = func() time.Time {
+	jwt.WithTimeFunc(func() time.Time {
 		return time.Unix(TestNow, 0)
-	}
+	})
 }
 
 func resetTime() {
 	mockoidc.NowFunc = time.Now
-	jwt.TimeFunc = time.Now
+	jwt.WithTimeFunc(time.Now)
 }

session.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // Session stores a User and their OIDC options across requests
@@ -29,7 +29,7 @@ type SessionStore struct {
 // should use in their jwt.Claims building.
 type IDTokenClaims struct {
 	Nonce string `json:"nonce,omitempty"`
-	*jwt.StandardClaims
+	*jwt.RegisteredClaims
 }
 
 // NewSessionStore initializes the SessionStore for this server
@@ -84,23 +84,23 @@ func (ss *SessionStore) GetSessionByToken(token *jwt.Token) (*Session, error) {
 // AccessToken returns the JWT token with the appropriate claims for
 // an access token
 func (s *Session) AccessToken(config *Config, kp *Keypair, now time.Time) (string, error) {
-	claims := s.standardClaims(config, config.AccessTTL, now)
+	claims := s.registeredClaims(config, config.AccessTTL, now)
 	return kp.SignJWT(claims)
 }
 
 // RefreshToken returns the JWT token with the appropriate claims for
 // a refresh token
 func (s *Session) RefreshToken(config *Config, kp *Keypair, now time.Time) (string, error) {
-	claims := s.standardClaims(config, config.RefreshTTL, now)
+	claims := s.registeredClaims(config, config.RefreshTTL, now)
 	return kp.SignJWT(claims)
 }
 
 // IDToken returns the JWT token with the appropriate claims for a user
 // based on the scopes set.
 func (s *Session) IDToken(config *Config, kp *Keypair, now time.Time) (string, error) {
 	base := &IDTokenClaims{
-		StandardClaims: s.standardClaims(config, config.AccessTTL, now),
-		Nonce:          s.OIDCNonce,
+		RegisteredClaims: s.registeredClaims(config, config.AccessTTL, now),
+		Nonce:            s.OIDCNonce,
 	}
 	claims, err := s.User.Claims(s.Scopes, base)
 	if err != nil {
@@ -110,14 +110,14 @@ func (s *Session) IDToken(config *Config, kp *Keypair, now time.Time) (string, e
 	return kp.SignJWT(claims)
 }
 
-func (s *Session) standardClaims(config *Config, ttl time.Duration, now time.Time) *jwt.StandardClaims {
-	return &jwt.StandardClaims{
-		Audience:  config.ClientID,
-		ExpiresAt: now.Add(ttl).Unix(),
-		Id:        s.SessionID,
-		IssuedAt:  now.Unix(),
+func (s *Session) registeredClaims(config *Config, ttl time.Duration, now time.Time) *jwt.RegisteredClaims {
+	return &jwt.RegisteredClaims{
+		Audience:  jwt.ClaimStrings{config.ClientID},
+		ExpiresAt: jwt.NewNumericDate(now.Add(ttl)),
+		ID:        s.SessionID,
+		IssuedAt:  jwt.NewNumericDate(now),
 		Issuer:    config.Issuer,
-		NotBefore: now.Unix(),
+		NotBefore: jwt.NewNumericDate(now),
 		Subject:   s.User.ID(),
 	}
 }