jwt-go Version HistoryParseUnverified to allow users to split up the tasks of parsing and validationErrInvalidKeyType instead of ErrInvalidKey where appropriaterequest.ParseFromRequest, which allows for an arbitrary list of modifiers to parsing behavior. Initial set include WithClaims and WithParser. Existing usage of this function will continue to work as before.ParseFromRequestWithClaims to simplify API in the future.jwt command line toolSkipClaimsValidation option to Parser[]byte keys when using RSA signing methods. This convenience feature could contribute to security vulnerabilities involving mismatched key types with signing methods.ParseFromRequest has been moved to request subpackage and usage has changedClaims property on Token is now type Claims instead of map[string]interface{}. The default value is type MapClaims, which is an alias to map[string]interface{}. This makes it possible to use a custom type when decoding claims.Claims interface type to allow users to decode the claims into a custom typeParseWithClaims, which takes a third argument of type Claims. Use this function instead of Parse if you have a custom type you'd like to decode into.ParseFromRequest, which is now in the request subpackageParseFromRequestWithClaims which is the FromRequest equivalent of ParseWithClaimsExtractor, which is used for extracting JWT strings from http requests. Used with ParseFromRequest and ParseFromRequestWithClaims.ValidationError, which contains the raw error returned by calls made by parse/verify (such as those returned by keyfunc or json parser)This will likely be the last backwards compatible release before 3.0.0, excluding essential bug fixes.
-show to the jwt command that will just output the decoded token without verifyingParseRSAPublicKeyFromPEMBEARERjson.Number type instead of float64 when parsing token JSONnil Keyfunc being passed to Parse. Result will now be the parsed token and an error, instead of a panic.Backwards compatible API change that was missed in 2.0.0.
SignedString method on Token now takes interface{} instead of []byteThere were two major reasons for breaking backwards compatibility with this update. The first was a refactor required to expand the width of the RSA and HMAC-SHA signing implementations. There will likely be no required code changes to support this change.
The second update, while unfortunately requiring a small change in integration, is required to open up this library to other signing methods. Not all keys used for all signing methods have a single standard on-disk representation. Requiring []byte as the type for all keys proved too limiting. Additionally, this implementation allows for pre-parsed tokens to be reused, which might matter in an application that parses a high volume of tokens with a small set of keys. Backwards compatibilty has been maintained for passing []byte to the RSA signing methods, but they will also accept *rsa.PublicKey and *rsa.PrivateKey.
It is likely the only integration change required here will be to change func(t *jwt.Token) ([]byte, error) to func(t *jwt.Token) (interface{}, error) when calling Parse.
SigningMethodHS256 is now *SigningMethodHMAC instead of type structSigningMethodRS256 is now *SigningMethodRSA instead of type structKeyFunc now returns interface{} instead of []byteSigningMethod.Sign now takes interface{} instead of []byte for the keySigningMethod.Verify now takes interface{} instead of []byte for the keySigningMethodHS256 to SigningMethodHMAC. Specific sizes are now just instances of this type.SigningMethodHS256SigningMethodHS384SigningMethodHS512SigningMethodRS256 to SigningMethodRSA. Specific sizes are now just instances of this type.SigningMethodRS256SigningMethodRS384SigningMethodRS512ParseRSAPrivateKeyFromPEM and ParseRSAPublicKeyFromPEM