Comments (3)
sergiught
commented on May 18, 2024
Hey @josh-feldman 👋🏻
Thanks for raising this and apologies for the unexpected behavior change. The fact that the previous version allowed passing an empty audience slice and skipping the validation, was flawed and was considered a bug. Validation should always occur on the issuer, audience and time based claims.
from go-jwt-middleware.
josh-feldman
commented on May 18, 2024
@sergiught should we at least change the error to validate an empty audience array as invalid expectations or at least one audience must be specified? The current error for not passing in an audience array and getting back that the token is invalid regardless of whether the audience field exists or not is misleading.
from go-jwt-middleware.
sergiught
commented on May 18, 2024
Agreed @josh-feldman, the error message definitely needs to be improved and fire earlier when we set up the validator in case the audience is nil or len 0. I'll try to find some time to improve that soon. Thanks!
from go-jwt-middleware.
Related Issues (20)
- Custom claims not decoded HOT 4
- Test handler that requires authentication HOT 3
- Token used before issued
- Failed to get decoded token using Go fiber HOT 1
- provide a gin gonic example HOT 2
- Missing cookie causes CookieTokenExtractor to return error HOT 7
- Allow middleware to be used in a gRPC environment HOT 7
- Cannot import internal oidc package HOT 1
- An error occured while validating JWT: jwt invalid: error getting the keys from the key func: could not get well known endpoints from url https:///.well-known/openid-configuration: Get "https:///.well-known/openid-configuration": http: no Host in request URL HOT 3
- Improve performance of JWKS Caching Provider HOT 4
- Support validate multiple issuers HOT 1
- Example for IRIS Framework
- Allow custom http Client to be used by the JWKS Provider HOT 2
- issue with token validator HOT 4
- Audience Check Should Not Be Mandatory HOT 4
- v2.1.0 Diversions from JOSE By validating audiences when none expected HOT 4
- validationKeyGetter - can not use dgrijalva as form3tech-oss Keyfunc value in struct literal HOT 1
- issue with token validator
- go-jose v2 is deprecated, should be upgraded to v3 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jwt-middleware.