exchange jwt library #95
Conversation
|
I updated now to version 4.0.0 (first official version with go mod support) Is there anything i can do to speed this up? Although this library does not seam to be directly affected, IMO it shouldn't rely on a not actively maintained jwt-library with a high security CVE. relates #86 |
|
ups .. just created the same PR #101 ... sad that Duo-Labs does not care 👎 |
|
We could perhaps create a community fork where we can get some of these PRs merged. I agree it's not ideal. OTOH The software is provided AS IS so we can't really expect anything from Duo-labs if they don't want to actively maintain it. So no hard feelings. But would be nice if they can communicate this. I can also understand that people might have shifted priorities, lost interest, or got burnt out. It happens. and is OK. |
I think a large part of the issue is that most/all of the original folks that were maintaining this as a side project have moved on from Duo. |
|
@arianvp I totally agree. It's provided AS IS but a clear communication would have been nice. As we (CAOS Ltd.) rely heavily on WebAuthN (and Golang) for our IAM product ZITADEL, we are interested in an actively maintained library. |
|
I'd be happy if a fork of this library was created inside the P.S. I started on a minimal webauthn implementation with no external dependencies: https://github.com/arianvp/webauthn-minimal but it's purposefully less featureful than this library. And only targets the latest version of the spec. It is under 300 lines of code so more easily auditable for correctness hopefully. |
* Moved COSE related things to their own package * move assertion to cose verify * Server-ServerPublicKeyCredentialCreationOptions-Req-1 * Update login.go * Fix packed attestation signature verification and added ServerResponse structure * Conformance testing fixes for MakeCredential * Conformance tests nearly complete * Initial metadata layout * Metadata progress * Further progress on metadata * Resolving conflict * Production and conformance metadata now load * Move SafetyNet to jwt-go and add sanity check for timestamp * Certificate checks on metadata TOC * Restrict timestamp check in safetynet to conformance only * Don't return safetynet x5c * Metadata (#1) * Moved COSE related things to their own package * move assertion to cose verify * Server-ServerPublicKeyCredentialCreationOptions-Req-1 * Update login.go * Fix packed attestation signature verification and added ServerResponse structure * Conformance testing fixes for MakeCredential * Conformance tests nearly complete * Initial metadata layout * Metadata progress * Further progress on metadata * Resolving conflict * Production and conformance metadata now load * Move SafetyNet to jwt-go and add sanity check for timestamp * Certificate checks on metadata TOC * Restrict timestamp check in safetynet to conformance only * Don't return safetynet x5c * SafetyNet timestamp check * Added metadata tests * Update metadata tests
|
Superseded by #101 (which upgrades the JWT lib to a more recent version) |
dgrijalva/jwt-go is no longer maintained: dgrijalva/jwt-go#462
this PR exchanges dgrijalva/jwt-go (3.2.0) with github.com/golang-jwt/jwt (3.2.2)