Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set audience validation default to off #25

Merged
merged 8 commits into from
Dec 19, 2023

Conversation

MarcusGrass
Copy link
Contributor

@MarcusGrass MarcusGrass commented Dec 11, 2023

Checklist

  • I have read the Contributor Guide
  • I have read and agree to the Code of Conduct
  • I have added a description of my changes and why I'd like them included in the section below

Description of Changes

Since jsonwebtoken 9x audience is validated by default. The library's validation of that token is itself finicky since audience can be provided in multiple (valid) ways. To avoid creating production incidents because of unexpected upstream library's parsing strategy, audience-validation will default to off as in 8.x, then the client gets the responsibility to validate audience after decoding.

Whether this should be considered a major-version bump or bugfix is debatable. If this audience validation change is considered a bug, then this is a bugfix from a bug introduced in 0.6.1 if that's not considered a bug then 0.6.1 should have been 0.7.0 and this should be 0.8.0, I'm leaning towards this being a bugfix since this behaviour was not intended, placing us at 0.6.2.

Drive-by fixing the changelog and toml version.

There was some spec-noncompliance where userinfo-endpoint was required although the spec says recommended, made that optional, causing this to be a major version bump anyway.

Also found a bug in the PKCE+client-secret flow that was fixed up.

Fixed the examples by duplicating them, one for basic auth and one for PKCE, they are now both up-to-date and hopefully a bit easier to understand.

@MarcusGrass MarcusGrass requested a review from vojd as a code owner December 11, 2023 11:39
@vojd vojd changed the title Mg/aud validate default off Set audience validation default to off Dec 12, 2023
@vojd
Copy link
Member

vojd commented Dec 12, 2023

Will approve when we know that the examples aren't negatively affected by this seemingly minor (but big) change

@MarcusGrass MarcusGrass merged commit 9ecded1 into main Dec 19, 2023
6 checks passed
@MarcusGrass MarcusGrass deleted the mg/aud-validate-default-off branch December 19, 2023 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants