v0.0.9

This release contains improvements to JWT verification and ease of use.

Improvements

• Verifier.GetIdentity() will now validate JWT timestamps (iat and exp) against the current time by default. (Previously these timestamps were validated only if a fixed time was provided in the Expected field of the Options struct.)

• New() will now provide a default JSONWebKeyStore implementation. (Previously it was required to supply an implementation of this interface.) The default implementation uses an in-memory LRU cache with a small fixed capacity, and should be sufficient for most Pomerium deployments. (The common case involves just one JWT signing key, or two during signing key rotation.)

• The Identity struct now includes a field for the Name claim.

Breaking Changes

• This release upgrades the go-jose module from gopkg.in/square/go-jose.v2 to github.com/go-jose/go-jose/v3. As the exported API incorporates some types from this library, any clients using these types will also need to import the new module version.

• The definition of the JSONWebKeyStore interface has changed: the key type is now string and the value type is now *jose.JSONWebKey.

Upgrade Guide

Upgrading from v0.0.8:

• To set the Expected field in the Options struct (and you should set at least Audience and Issuer here), you will now need to import the package "github.com/go-jose/go-jose/v3/jwt" instead of "gopkg.in/square/go-jose.v2/jwt".

• The Datastore field in the Options struct can now be left unset, if the default JSONWebKeyStore implementation is sufficient for your needs. Otherwise, you will need to update your JSONWebKeyStore implementation to conform to the new interface definition.

What's Changed

• remove unused test case fields by @kenjenkins in #87
• Always validate JWT timestamps by @kenjenkins in #92
• build(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot in #89
• specify JSONWebKeyStore more precisely by @kenjenkins in #95
• provide default Datastore implementation by @kenjenkins in #91
• add Name field to the Identity struct by @kenjenkins in #96
• remove golangci-lint dependencies by @kenjenkins in #97
• update dependabot by @calebdoxsey in #98
• build(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.3 to 2.0.4 by @dependabot in #100

New Contributors

• @kenjenkins made their first contribution in #87

Full Changelog: v0.0.8...v0.0.9