Merge pull request #9917 from rhafer/bump-jwt

cleanups in oidc middleware

vendor/github.com/MicahParks/keyfunc/v2/get.go

@@ -49,11 +49,21 @@ func Get(jwksURL string, options Options) (jwks *JWKS, err error) {
 
 	err = jwks.refresh()
 	if err != nil {
-		return nil, err
+		if options.TolerateInitialJWKHTTPError {
+			if jwks.refreshErrorHandler != nil {
+				jwks.refreshErrorHandler(err)
+			}
+			jwks.keys = make(map[string]parsedJWK)
+		} else {
+			return nil, err
+		}
 	}
 
 	if jwks.refreshInterval != 0 || jwks.refreshUnknownKID {
-		jwks.ctx, jwks.cancel = context.WithCancel(context.Background())
+		if jwks.ctx == nil {
+			jwks.ctx = context.Background()
+		}
+		jwks.ctx, jwks.cancel = context.WithCancel(jwks.ctx)
 		jwks.refreshRequests = make(chan refreshRequest, 1)
 		go jwks.backgroundRefresh()
 	}

vendor/github.com/MicahParks/keyfunc/v2/given.go

@@ -42,28 +42,14 @@ func NewGiven(givenKeys map[string]GivenKey) (jwks *JWKS) {
 	}
 }
 
-// NewGivenCustom creates a new GivenKey given an untyped variable. The key argument is expected to be a supported
+// NewGivenCustom creates a new GivenKey given an untyped variable. The key argument is expected to be a type supported
 // by the jwt package used.
 //
-// See the https://pkg.go.dev/github.com/golang-jwt/jwt/v4#RegisterSigningMethod function for registering an unsupported
-// signing method.
-//
-// Deprecated: This function does not allow the user to specify the JWT's signing algorithm. Use
-// NewGivenCustomWithOptions instead.
-func NewGivenCustom(key interface{}) (givenKey GivenKey) {
-	return GivenKey{
-		inter: key,
-	}
-}
-
-// NewGivenCustomWithOptions creates a new GivenKey given an untyped variable. The key argument is expected to be a type
-// supported by the jwt package used.
-//
 // Consider the options carefully as each field may have a security implication.
 //
-// See the https://pkg.go.dev/github.com/golang-jwt/jwt/v4#RegisterSigningMethod function for registering an unsupported
+// See the https://pkg.go.dev/github.com/golang-jwt/jwt/v5#RegisterSigningMethod function for registering an unsupported
 // signing method.
-func NewGivenCustomWithOptions(key interface{}, options GivenKeyOptions) (givenKey GivenKey) {
+func NewGivenCustom(key interface{}, options GivenKeyOptions) (givenKey GivenKey) {
 	return GivenKey{
 		algorithm: options.Algorithm,
 		inter:     key,
@@ -72,18 +58,8 @@ func NewGivenCustomWithOptions(key interface{}, options GivenKeyOptions) (givenK
 
 // NewGivenECDSA creates a new GivenKey given an ECDSA public key.
 //
-// Deprecated: This function does not allow the user to specify the JWT's signing algorithm. Use
-// NewGivenECDSACustomWithOptions instead.
-func NewGivenECDSA(key *ecdsa.PublicKey) (givenKey GivenKey) {
-	return GivenKey{
-		inter: key,
-	}
-}
-
-// NewGivenECDSACustomWithOptions creates a new GivenKey given an ECDSA public key.
-//
 // Consider the options carefully as each field may have a security implication.
-func NewGivenECDSACustomWithOptions(key *ecdsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
+func NewGivenECDSA(key *ecdsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
 	return GivenKey{
 		algorithm: options.Algorithm,
 		inter:     key,
@@ -92,18 +68,8 @@ func NewGivenECDSACustomWithOptions(key *ecdsa.PublicKey, options GivenKeyOption
 
 // NewGivenEdDSA creates a new GivenKey given an EdDSA public key.
 //
-// Deprecated: This function does not allow the user to specify the JWT's signing algorithm. Use
-// NewGivenEdDSACustomWithOptions instead.
-func NewGivenEdDSA(key ed25519.PublicKey) (givenKey GivenKey) {
-	return GivenKey{
-		inter: key,
-	}
-}
-
-// NewGivenEdDSACustomWithOptions creates a new GivenKey given an EdDSA public key.
-//
 // Consider the options carefully as each field may have a security implication.
-func NewGivenEdDSACustomWithOptions(key ed25519.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
+func NewGivenEdDSA(key ed25519.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
 	return GivenKey{
 		algorithm: options.Algorithm,
 		inter:     key,
@@ -112,18 +78,8 @@ func NewGivenEdDSACustomWithOptions(key ed25519.PublicKey, options GivenKeyOptio
 
 // NewGivenHMAC creates a new GivenKey given an HMAC key in a byte slice.
 //
-// Deprecated: This function does not allow the user to specify the JWT's signing algorithm. Use
-// NewGivenHMACCustomWithOptions instead.
-func NewGivenHMAC(key []byte) (givenKey GivenKey) {
-	return GivenKey{
-		inter: key,
-	}
-}
-
-// NewGivenHMACCustomWithOptions creates a new GivenKey given an HMAC key in a byte slice.
-//
 // Consider the options carefully as each field may have a security implication.
-func NewGivenHMACCustomWithOptions(key []byte, options GivenKeyOptions) (givenKey GivenKey) {
+func NewGivenHMAC(key []byte, options GivenKeyOptions) (givenKey GivenKey) {
 	return GivenKey{
 		algorithm: options.Algorithm,
 		inter:     key,
@@ -132,18 +88,8 @@ func NewGivenHMACCustomWithOptions(key []byte, options GivenKeyOptions) (givenKe
 
 // NewGivenRSA creates a new GivenKey given an RSA public key.
 //
-// Deprecated: This function does not allow the user to specify the JWT's signing algorithm. Use
-// NewGivenRSACustomWithOptions instead.
-func NewGivenRSA(key *rsa.PublicKey) (givenKey GivenKey) {
-	return GivenKey{
-		inter: key,
-	}
-}
-
-// NewGivenRSACustomWithOptions creates a new GivenKey given an RSA public key.
-//
 // Consider the options carefully as each field may have a security implication.
-func NewGivenRSACustomWithOptions(key *rsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
+func NewGivenRSA(key *rsa.PublicKey, options GivenKeyOptions) (givenKey GivenKey) {
 	return GivenKey{
 		algorithm: options.Algorithm,
 		inter:     key,

vendor/github.com/MicahParks/keyfunc/v2/keyfunc.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 var (
@@ -14,7 +14,7 @@ var (
 	ErrKID = errors.New("the JWT has an invalid kid")
 )
 
-// Keyfunc matches the signature of github.com/golang-jwt/jwt/v4's jwt.Keyfunc function.
+// Keyfunc matches the signature of github.com/golang-jwt/jwt/v5's jwt.Keyfunc function.
 func (j *JWKS) Keyfunc(token *jwt.Token) (interface{}, error) {
 	kid, alg, err := kidAlg(token)
 	if err != nil {
@@ -23,6 +23,7 @@ func (j *JWKS) Keyfunc(token *jwt.Token) (interface{}, error) {
 	return j.getKey(alg, kid)
 }
 
+// Keyfunc matches the signature of github.com/golang-jwt/jwt/v5's jwt.Keyfunc function.
 func (m *MultipleJWKS) Keyfunc(token *jwt.Token) (interface{}, error) {
 	return m.keySelector(m, token)
 }

vendor/github.com/MicahParks/keyfunc/v2/multiple.go

@@ -4,11 +4,11 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // ErrMultipleJWKSSize is returned when the number of JWKS given are not enough to make a MultipleJWKS.
-var ErrMultipleJWKSSize = errors.New("multiple JWKS must have two or more remote JWK Set resources")
+var ErrMultipleJWKSSize = errors.New("multiple JWKS must have one or more remote JWK Set resources")
 
 // MultipleJWKS manages multiple JWKS and has a field for jwt.Keyfunc.
 type MultipleJWKS struct {
@@ -16,14 +16,14 @@ type MultipleJWKS struct {
 	sets        map[string]*JWKS // No lock is required because this map is read-only after initialization.
 }
 
-// GetMultiple creates a new MultipleJWKS. A map of length two or more JWKS URLs to Options is required.
+// GetMultiple creates a new MultipleJWKS. A map of length one or more JWKS URLs to Options is required.
 //
 // Be careful when choosing Options for each JWKS in the map. If RefreshUnknownKID is set to true for all JWKS in the
 // map then many refresh requests would take place each time a JWT is processed, this should be rate limited by
 // RefreshRateLimit.
 func GetMultiple(multiple map[string]Options, options MultipleOptions) (multiJWKS *MultipleJWKS, err error) {
-	if multiple == nil || len(multiple) < 2 {
-		return nil, fmt.Errorf("multiple JWKS must have two or more remote JWK Set resources: %w", ErrMultipleJWKSSize)
+	if len(multiple) < 1 {
+		return nil, fmt.Errorf("multiple JWKS must have one or more remote JWK Set resources: %w", ErrMultipleJWKSSize)
 	}
 
 	if options.KeySelector == nil {
@@ -46,6 +46,8 @@ func GetMultiple(multiple map[string]Options, options MultipleOptions) (multiJWK
 	return multiJWKS, nil
 }
 
+// JWKSets returns a copy of the map of JWK Sets. The map itself is a copy, but the JWKS are not and should be treated
+// as read-only.
 func (m *MultipleJWKS) JWKSets() map[string]*JWKS {
 	sets := make(map[string]*JWKS, len(m.sets))
 	for u, jwks := range m.sets {
@@ -54,6 +56,7 @@ func (m *MultipleJWKS) JWKSets() map[string]*JWKS {
 	return sets
 }
 
+// KeySelectorFirst returns the first key found in the multiple JWK Sets.
 func KeySelectorFirst(multiJWKS *MultipleJWKS, token *jwt.Token) (key interface{}, err error) {
 	kid, alg, err := kidAlg(token)
 	if err != nil {

vendor/github.com/MicahParks/keyfunc/v2/options.go

@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // ErrInvalidHTTPStatusCode indicates that the HTTP status code is invalid.
@@ -17,7 +17,7 @@ var ErrInvalidHTTPStatusCode = errors.New("invalid HTTP status code")
 
 // Options represents the configuration options for a JWKS.
 //
-// If RefreshInterval and or RefreshUnknownKID is not nil, then a background goroutine will be launched to refresh the
+// If either RefreshInterval is non-zero or RefreshUnknownKID is true, then a background goroutine will be launched to refresh the
 // remote JWKS under the specified circumstances.
 //
 // When using a background refresh goroutine, make sure to use RefreshRateLimit if paired with RefreshUnknownKID. Also
@@ -54,7 +54,7 @@ type Options struct {
 	// if a background refresh goroutine is active.
 	RefreshErrorHandler ErrorHandler
 
-	// RefreshInterval is the duration to refresh the JWKS in the background via a new HTTP request. If this is not nil,
+	// RefreshInterval is the duration to refresh the JWKS in the background via a new HTTP request. If this is not zero,
 	// then a background goroutine will be used to refresh the JWKS once per the given interval. Make sure to call the
 	// JWKS.EndBackground method to end this goroutine when it's no longer needed.
 	RefreshInterval time.Duration
@@ -84,6 +84,14 @@ type Options struct {
 	// ResponseExtractor consumes a *http.Response and produces the raw JSON for the JWKS. By default, the
 	// ResponseExtractorStatusOK function is used. The default behavior changed in v1.4.0.
 	ResponseExtractor func(ctx context.Context, resp *http.Response) (json.RawMessage, error)
+
+	// TolerateInitialJWKHTTPError will tolerate any error from the initial HTTP JWKS request. If an error occurs,
+	// the RefreshErrorHandler will be given the error. The program will continue to run as if the error did not occur
+	// and a valid JWK Set with no keys was received in the response. This allows for the background goroutine to
+	// request the JWKS at a later time.
+	//
+	// It does not make sense to mark this field as true unless the background refresh goroutine is active.
+	TolerateInitialJWKHTTPError bool
 }
 
 // MultipleOptions is used to configure the behavior when multiple JWKS are used by MultipleJWKS.

vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md

@@ -17,7 +17,7 @@ and corresponding updates for existing programs.
 
 ## Parsing and Validation Options
 
-Under the hood, a new `validator` struct takes care of validating the claims. A
+Under the hood, a new `Validator` struct takes care of validating the claims. A
 long awaited feature has been the option to fine-tune the validation of tokens.
 This is now possible with several `ParserOption` functions that can be appended
 to most `Parse` functions, such as `ParseWithClaims`. The most important options
@@ -68,6 +68,16 @@ type Claims interface {
 }
 ```
 
+Users that previously directly called the `Valid` function on their claims,
+e.g., to perform validation independently of parsing/verifying a token, can now
+use the `jwt.NewValidator` function to create a `Validator` independently of the
+`Parser`.
+
+```go
+var v = jwt.NewValidator(jwt.WithLeeway(5*time.Second))
+v.Validate(myClaims)
+```
+
 ### Supported Claim Types and Removal of `StandardClaims`
 
 The two standard claim types supported by this library, `MapClaims` and
@@ -169,7 +179,7 @@ be a drop-in replacement, if you're having troubles migrating, please open an
 issue.
 
 You can replace all occurrences of `github.com/dgrijalva/jwt-go` or
-`github.com/golang-jwt/jwt` with `github.com/golang-jwt/jwt/v5`, either manually
+`github.com/golang-jwt/jwt` with `github.com/golang-jwt/jwt/v4`, either manually
 or by using tools such as `sed` or `gofmt`.
 
 And then you'd typically run:

vendor/github.com/golang-jwt/jwt/v5/ecdsa.go

@@ -62,7 +62,7 @@ func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interf
 	case *ecdsa.PublicKey:
 		ecdsaKey = k
 	default:
-		return ErrInvalidKeyType
+		return newError("ECDSA verify expects *ecdsa.PublicKey", ErrInvalidKeyType)
 	}
 
 	if len(sig) != 2*m.KeySize {
@@ -96,7 +96,7 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) ([]byte
 	case *ecdsa.PrivateKey:
 		ecdsaKey = k
 	default:
-		return nil, ErrInvalidKeyType
+		return nil, newError("ECDSA sign expects *ecdsa.PrivateKey", ErrInvalidKeyType)
 	}
 
 	// Create the hasher

vendor/github.com/golang-jwt/jwt/v5/ed25519.go

@@ -1,11 +1,10 @@
 package jwt
 
 import (
-	"errors"
-
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
+	"errors"
 )
 
 var (
@@ -39,7 +38,7 @@ func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key inte
 	var ok bool
 
 	if ed25519Key, ok = key.(ed25519.PublicKey); !ok {
-		return ErrInvalidKeyType
+		return newError("Ed25519 verify expects ed25519.PublicKey", ErrInvalidKeyType)
 	}
 
 	if len(ed25519Key) != ed25519.PublicKeySize {
@@ -61,7 +60,7 @@ func (m *SigningMethodEd25519) Sign(signingString string, key interface{}) ([]by
 	var ok bool
 
 	if ed25519Key, ok = key.(crypto.Signer); !ok {
-		return nil, ErrInvalidKeyType
+		return nil, newError("Ed25519 sign expects crypto.Signer", ErrInvalidKeyType)
 	}
 
 	if _, ok := ed25519Key.Public().(ed25519.PublicKey); !ok {

vendor/github.com/golang-jwt/jwt/v5/errors_go_other.go

@@ -22,7 +22,7 @@ func (je joinedError) Is(err error) bool {
 
 // wrappedErrors is a workaround for wrapping multiple errors in environments
 // where Go 1.20 is not available. It basically uses the already implemented
-// functionatlity of joinedError to handle multiple errors with supplies a
+// functionality of joinedError to handle multiple errors with supplies a
 // custom error message that is identical to the one we produce in Go 1.20 using
 // multiple %w directives.
 type wrappedErrors struct {

vendor/github.com/golang-jwt/jwt/v5/hmac.go

@@ -59,7 +59,7 @@ func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interfa
 	// Verify the key is the right type
 	keyBytes, ok := key.([]byte)
 	if !ok {
-		return ErrInvalidKeyType
+		return newError("HMAC verify expects []byte", ErrInvalidKeyType)
 	}
 
 	// Can we use the specified hashing method?
@@ -100,5 +100,5 @@ func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte,
 		return hasher.Sum(nil), nil
 	}
 
-	return nil, ErrInvalidKeyType
+	return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
 }

vendor/github.com/golang-jwt/jwt/v5/none.go

@@ -32,7 +32,7 @@ func (m *signingMethodNone) Verify(signingString string, sig []byte, key interfa
 		return NoneSignatureTypeDisallowedError
 	}
 	// If signing method is none, signature must be an empty string
-	if string(sig) != "" {
+	if len(sig) != 0 {
 		return newError("'none' signing method with non-empty signature", ErrTokenUnverifiable)
 	}
 

vendor/github.com/golang-jwt/jwt/v5/parser.go

@@ -18,7 +18,7 @@ type Parser struct {
 	// Skip claims validation during token parsing.
 	skipClaimsValidation bool
 
-	validator *validator
+	validator *Validator
 
 	decodeStrict bool
 
@@ -28,7 +28,7 @@ type Parser struct {
 // NewParser creates a new Parser with the specified options
 func NewParser(options ...ParserOption) *Parser {
 	p := &Parser{
-		validator: &validator{},
+		validator: &Validator{},
 	}
 
 	// Loop through our parsing options and apply them
@@ -74,24 +74,40 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 		}
 	}
 
-	// Lookup key
-	var key interface{}
-	if keyFunc == nil {
-		// keyFunc was not provided.  short circuiting validation
-		return token, newError("no keyfunc was provided", ErrTokenUnverifiable)
-	}
-	if key, err = keyFunc(token); err != nil {
-		return token, newError("error while executing keyfunc", ErrTokenUnverifiable, err)
-	}
-
 	// Decode signature
 	token.Signature, err = p.DecodeSegment(parts[2])
 	if err != nil {
 		return token, newError("could not base64 decode signature", ErrTokenMalformed, err)
 	}
+	text := strings.Join(parts[0:2], ".")
 
-	// Perform signature validation
-	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
+	// Lookup key(s)
+	if keyFunc == nil {
+		// keyFunc was not provided.  short circuiting validation
+		return token, newError("no keyfunc was provided", ErrTokenUnverifiable)
+	}
+
+	got, err := keyFunc(token)
+	if err != nil {
+		return token, newError("error while executing keyfunc", ErrTokenUnverifiable, err)
+	}
+
+	switch have := got.(type) {
+	case VerificationKeySet:
+		if len(have.Keys) == 0 {
+			return token, newError("keyfunc returned empty verification key set", ErrTokenUnverifiable)
+		}
+		// Iterate through keys and verify signature, skipping the rest when a match is found.
+		// Return the last error if no match is found.
+		for _, key := range have.Keys {
+			if err = token.Method.Verify(text, token.Signature, key); err == nil {
+				break
+			}
+		}
+	default:
+		err = token.Method.Verify(text, token.Signature, have)
+	}
+	if err != nil {
 		return token, newError("", ErrTokenSignatureInvalid, err)
 	}
 
@@ -99,7 +115,7 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 	if !p.skipClaimsValidation {
 		// Make sure we have at least a default validator
 		if p.validator == nil {
-			p.validator = newValidator()
+			p.validator = NewValidator()
 		}
 
 		if err := p.validator.Validate(claims); err != nil {
@@ -117,8 +133,8 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 //
 // WARNING: Don't use this method unless you know what you're doing.
 //
-// It's only ever useful in cases where you know the signature is valid (because it has
-// been checked previously in the stack) and you want to extract values from it.
+// It's only ever useful in cases where you know the signature is valid (since it has already
+// been or will be checked elsewhere in the stack) and you want to extract values from it.
 func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
 	parts = strings.Split(tokenString, ".")
 	if len(parts) != 3 {
@@ -130,9 +146,6 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	// parse Header
 	var headerBytes []byte
 	if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {
-		if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
-			return token, parts, newError("tokenstring should not contain 'bearer '", ErrTokenMalformed)
-		}
 		return token, parts, newError("could not base64 decode header", ErrTokenMalformed, err)
 	}
 	if err = json.Unmarshal(headerBytes, &token.Header); err != nil {
@@ -140,23 +153,33 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	}
 
 	// parse Claims
-	var claimBytes []byte
 	token.Claims = claims
 
-	if claimBytes, err = p.DecodeSegment(parts[1]); err != nil {
+	claimBytes, err := p.DecodeSegment(parts[1])
+	if err != nil {
 		return token, parts, newError("could not base64 decode claim", ErrTokenMalformed, err)
 	}
-	dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
-	if p.useJSONNumber {
-		dec.UseNumber()
-	}
-	// JSON Decode.  Special case for map type to avoid weird pointer behavior
-	if c, ok := token.Claims.(MapClaims); ok {
-		err = dec.Decode(&c)
+
+	// If `useJSONNumber` is enabled then we must use *json.Decoder to decode
+	// the claims. However, this comes with a performance penalty so only use
+	// it if we must and, otherwise, simple use json.Unmarshal.
+	if !p.useJSONNumber {
+		// JSON Unmarshal. Special case for map type to avoid weird pointer behavior.
+		if c, ok := token.Claims.(MapClaims); ok {
+			err = json.Unmarshal(claimBytes, &c)
+		} else {
+			err = json.Unmarshal(claimBytes, &claims)
+		}
 	} else {
-		err = dec.Decode(&claims)
+		dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
+		dec.UseNumber()
+		// JSON Decode. Special case for map type to avoid weird pointer behavior.
+		if c, ok := token.Claims.(MapClaims); ok {
+			err = dec.Decode(&c)
+		} else {
+			err = dec.Decode(&claims)
+		}
 	}
-	// Handle decode error
 	if err != nil {
 		return token, parts, newError("could not JSON decode claim", ErrTokenMalformed, err)
 	}

vendor/github.com/golang-jwt/jwt/v5/parser_option.go

@@ -58,6 +58,14 @@ func WithIssuedAt() ParserOption {
 	}
 }
 
+// WithExpirationRequired returns the ParserOption to make exp claim required.
+// By default exp claim is optional.
+func WithExpirationRequired() ParserOption {
+	return func(p *Parser) {
+		p.validator.requireExp = true
+	}
+}
+
 // WithAudience configures the validator to require the specified audience in
 // the `aud` claim. Validation will fail if the audience is not listed in the
 // token or the `aud` claim is missing.

vendor/github.com/golang-jwt/jwt/v5/rsa.go

@@ -51,7 +51,7 @@ func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interfac
 	var ok bool
 
 	if rsaKey, ok = key.(*rsa.PublicKey); !ok {
-		return ErrInvalidKeyType
+		return newError("RSA verify expects *rsa.PublicKey", ErrInvalidKeyType)
 	}
 
 	// Create hasher
@@ -73,7 +73,7 @@ func (m *SigningMethodRSA) Sign(signingString string, key interface{}) ([]byte,
 
 	// Validate type of key
 	if rsaKey, ok = key.(*rsa.PrivateKey); !ok {
-		return nil, ErrInvalidKey
+		return nil, newError("RSA sign expects *rsa.PrivateKey", ErrInvalidKeyType)
 	}
 
 	// Create the hasher

vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go

@@ -88,7 +88,7 @@ func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key inter
 	case *rsa.PublicKey:
 		rsaKey = k
 	default:
-		return ErrInvalidKey
+		return newError("RSA-PSS verify expects *rsa.PublicKey", ErrInvalidKeyType)
 	}
 
 	// Create hasher
@@ -115,7 +115,7 @@ func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) ([]byt
 	case *rsa.PrivateKey:
 		rsaKey = k
 	default:
-		return nil, ErrInvalidKeyType
+		return nil, newError("RSA-PSS sign expects *rsa.PrivateKey", ErrInvalidKeyType)
 	}
 
 	// Create the hasher

vendor/github.com/golang-jwt/jwt/v5/token.go

@@ -1,6 +1,7 @@
 package jwt
 
 import (
+	"crypto"
 	"encoding/base64"
 	"encoding/json"
 )
@@ -9,8 +10,21 @@ import (
 // the key for verification.  The function receives the parsed, but unverified
 // Token.  This allows you to use properties in the Header of the token (such as
 // `kid`) to identify which key to use.
+//
+// The returned interface{} may be a single key or a VerificationKeySet containing
+// multiple keys.
 type Keyfunc func(*Token) (interface{}, error)
 
+// VerificationKey represents a public or secret key for verifying a token's signature.
+type VerificationKey interface {
+	crypto.PublicKey | []uint8
+}
+
+// VerificationKeySet is a set of public or secret keys. It is used by the parser to verify a token.
+type VerificationKeySet struct {
+	Keys []VerificationKey
+}
+
 // Token represents a JWT Token.  Different fields will be used depending on
 // whether you're creating or parsing/verifying a token.
 type Token struct {

vendor/github.com/golang-jwt/jwt/v5/types.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"math"
-	"reflect"
 	"strconv"
 	"time"
 )
@@ -121,14 +120,14 @@ func (s *ClaimStrings) UnmarshalJSON(data []byte) (err error) {
 		for _, vv := range v {
 			vs, ok := vv.(string)
 			if !ok {
-				return &json.UnsupportedTypeError{Type: reflect.TypeOf(vv)}
+				return ErrInvalidType
 			}
 			aud = append(aud, vs)
 		}
 	case nil:
 		return nil
 	default:
-		return &json.UnsupportedTypeError{Type: reflect.TypeOf(v)}
+		return ErrInvalidType
 	}
 
 	*s = aud

vendor/github.com/golang-jwt/jwt/v5/validator.go

@@ -28,13 +28,12 @@ type ClaimsValidator interface {
 	Validate() error
 }
 
-// validator is the core of the new Validation API. It is automatically used by
+// Validator is the core of the new Validation API. It is automatically used by
 // a [Parser] during parsing and can be modified with various parser options.
 //
-// Note: This struct is intentionally not exported (yet) as we want to
-// internally finalize its API. In the future, we might make it publicly
-// available.
-type validator struct {
+// The [NewValidator] function should be used to create an instance of this
+// struct.
+type Validator struct {
 	// leeway is an optional leeway that can be provided to account for clock skew.
 	leeway time.Duration
 
@@ -42,6 +41,9 @@ type validator struct {
 	// validation. If unspecified, this defaults to time.Now.
 	timeFunc func() time.Time
 
+	// requireExp specifies whether the exp claim is required
+	requireExp bool
+
 	// verifyIat specifies whether the iat (Issued At) claim will be verified.
 	// According to https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 this
 	// only specifies the age of the token, but no validation check is
@@ -62,16 +64,28 @@ type validator struct {
 	expectedSub string
 }
 
-// newValidator can be used to create a stand-alone validator with the supplied
+// NewValidator can be used to create a stand-alone validator with the supplied
 // options. This validator can then be used to validate already parsed claims.
-func newValidator(opts ...ParserOption) *validator {
+//
+// Note: Under normal circumstances, explicitly creating a validator is not
+// needed and can potentially be dangerous; instead functions of the [Parser]
+// class should be used.
+//
+// The [Validator] is only checking the *validity* of the claims, such as its
+// expiration time, but it does NOT perform *signature verification* of the
+// token.
+func NewValidator(opts ...ParserOption) *Validator {
 	p := NewParser(opts...)
 	return p.validator
 }
 
 // Validate validates the given claims. It will also perform any custom
 // validation if claims implements the [ClaimsValidator] interface.
-func (v *validator) Validate(claims Claims) error {
+//
+// Note: It will NOT perform any *signature verification* on the token that
+// contains the claims and expects that the [Claim] was already successfully
+// verified.
+func (v *Validator) Validate(claims Claims) error {
 	var (
 		now  time.Time
 		errs []error = make([]error, 0, 6)
@@ -86,8 +100,9 @@ func (v *validator) Validate(claims Claims) error {
 	}
 
 	// We always need to check the expiration time, but usage of the claim
-	// itself is OPTIONAL.
-	if err = v.verifyExpiresAt(claims, now, false); err != nil {
+	// itself is OPTIONAL by default. requireExp overrides this behavior
+	// and makes the exp claim mandatory.
+	if err = v.verifyExpiresAt(claims, now, v.requireExp); err != nil {
 		errs = append(errs, err)
 	}
 
@@ -149,7 +164,7 @@ func (v *validator) Validate(claims Claims) error {
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
+func (v *Validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool) error {
 	exp, err := claims.GetExpirationTime()
 	if err != nil {
 		return err
@@ -170,7 +185,7 @@ func (v *validator) verifyExpiresAt(claims Claims, cmp time.Time, required bool)
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
+func (v *Validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool) error {
 	iat, err := claims.GetIssuedAt()
 	if err != nil {
 		return err
@@ -191,7 +206,7 @@ func (v *validator) verifyIssuedAt(claims Claims, cmp time.Time, required bool)
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
+func (v *Validator) verifyNotBefore(claims Claims, cmp time.Time, required bool) error {
 	nbf, err := claims.GetNotBefore()
 	if err != nil {
 		return err
@@ -211,7 +226,7 @@ func (v *validator) verifyNotBefore(claims Claims, cmp time.Time, required bool)
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifyAudience(claims Claims, cmp string, required bool) error {
+func (v *Validator) verifyAudience(claims Claims, cmp string, required bool) error {
 	aud, err := claims.GetAudience()
 	if err != nil {
 		return err
@@ -247,7 +262,7 @@ func (v *validator) verifyAudience(claims Claims, cmp string, required bool) err
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifyIssuer(claims Claims, cmp string, required bool) error {
+func (v *Validator) verifyIssuer(claims Claims, cmp string, required bool) error {
 	iss, err := claims.GetIssuer()
 	if err != nil {
 		return err
@@ -267,7 +282,7 @@ func (v *validator) verifyIssuer(claims Claims, cmp string, required bool) error
 //
 // Additionally, if any error occurs while retrieving the claim, e.g., when its
 // the wrong type, an ErrTokenUnverifiable error will be returned.
-func (v *validator) verifySubject(claims Claims, cmp string, required bool) error {
+func (v *Validator) verifySubject(claims Claims, cmp string, required bool) error {
 	sub, err := claims.GetSubject()
 	if err != nil {
 		return err