Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to go-jose/v4 #583

Closed
1 of 2 tasks
gibmat opened this issue Apr 6, 2024 · 4 comments · Fixed by #588
Closed
1 of 2 tasks

Update to go-jose/v4 #583

gibmat opened this issue Apr 6, 2024 · 4 comments · Fixed by #588
Assignees
@muhlemmer
Labels
auth improvement

Comments

@gibmat
Copy link

gibmat commented Apr 6, 2024

Preflight Checklist

  • I could not find a solution in the existing issues, docs, nor discussions
  • I have joined the ZITADEL chat

Describe your problem

go-jose/v4 was released about a month ago, with version 4.0.1 fixing CVE-2024-28180. I'd like to update the packaging of this library in Debian, but there was an API change in go-jose/v4 that requires specifying the expected algorithm(s) when calling ParseSigned() (go-jose/go-jose#69). It doesn't look that hard to fix, but I'm not familiar enough with the zitadel/oidc codebase to confidently submit a pull request fixing this.

# github.com/zitadel/oidc/pkg/oidc
src/github.com/zitadel/oidc/pkg/oidc/verifier.go:151:31: not enough arguments in call to jose.ParseSigned
        have (string)
        want (string, []jose.SignatureAlgorithm)

Describe your ideal solution

Update to go-jose/v4.

Version

3.19.0

Environment

Self-hosted

Additional Context

My ultimate goal is to update zitadel/oidc in Debian so I can package and upload the latest release of Incus, which uses this library.
@muhlemmer muhlemmer added the auth label Apr 8, 2024
@muhlemmer
Copy link
Collaborator

We will have a look at this. Meanwhile I would like to note that the linked vulnerability only applies to JWE, which we currently not use in OIDC.

@muhlemmer muhlemmer self-assigned this Apr 10, 2024
@gibmat
Copy link
Author

gibmat commented Apr 10, 2024

Thanks! Due to how Debian's packaging works for Go libraries, it's hard to have different major versions of a library in parallel without creating a unique package for each version. I think that would be overkill for the case of go-jose, so hopefully this isn't too hard of a change to make.

muhlemmer added a commit that referenced this issue Apr 10, 2024
@muhlemmer
feat(deps): update go-jose to v4
4741b5e 
This change updates to go-jose v4, which was a new major release.

jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible.

For OIDC v4 we should use the jose.SignatureAlgorithm  type directly and wrap errors, instead of returned static defined errors.

Closes #583
@muhlemmer muhlemmer mentioned this issue Apr 10, 2024
Merged
13 tasks
muhlemmer added a commit that referenced this issue Apr 11, 2024
@muhlemmer
feat(deps): update go-jose to v4 (#588)
33f8df7 
This change updates to go-jose v4, which was a new major release.

jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible.

For OIDC v4 we should use the jose.SignatureAlgorithm  type directly and wrap errors, instead of returned static defined errors.

Closes #583
@muhlemmer
Copy link
Collaborator

All done! Its nice to hear this project is included in Debian.

@gibmat
Copy link
Author

gibmat commented Apr 11, 2024

🎉 Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@muhlemmer muhlemmer

Labels
auth improvement
Projects
Product Management
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(deps): update go-jose to v4 zitadel/oidc
2 participants
@muhlemmer @gibmat