6.4 KiB
Incompatible Changes from v2 to v3
These are changes that are incompatible with the v2.x.x version.
Detailed list of changes
Module
-
This module now requires Go 1.23
-
All
xxx.Get()methods have been changed fromGet(string) (interface{}, error)toGet(string, interface{}) error, where the second argument should be a pointer to the storage destination of the field. -
All convenience accessors (e.g.
(jwt.Token).Subject) now return(T, bool)instead ofT. If you want an accessor that returns a single value, consider usingGet() -
Most major errors can now be differentiated using
errors.Is
JWA
-
All string constants have been renamed to equivalent functions that return a struct. You should rewrite
jwa.RS256asjwa.RS256()and so forth. -
By default, only known algorithm names are accepted. For example, in our JWK tests, there are tests that deal with "ECMR" algorithm, but this will now fail by default. If you want this algorithm to succeed parsing, you need to call
jwa.RegisterXXXXfunctions before using them. -
Previously, unmarshaling unquoted strings used to work (e.g.
var s = "RS256"), but now they must conform to the JSON standard and be quoted (e.g.var s = strconv.Quote("RS256"))
JWT
-
All convenience accessors (e.g.
Subject) now return(T, bool)instead of justT. If you want a single return value accessor, useGet(dst) errorinstead. -
Validation used to work for
iat,nbf,expfields where these fields were set to the explicit time.Time{} zero value, but now the presence of these fields matter. -
Validation of fields related to time used to be truncated to one second accuracy, but no longer does so. To restore old behavior, you can either change the global settings by calling
jwt.Settings(jwt.WithTruncation(time.Second)), or you can change it by each invocation by usingjwt.Validate(..., jwt.WithTruncation(time.Second)) -
Error names have been renamed. For example
jwt.ErrInvalidJWThas been renamed tojwt.UnknownPayloadTypeErrorto better reflect what the error means. For other errors,func ErrXXXX()have generally been renamed tofunc XXXError() -
Validation errors are now wrapped. While
Validate()returns aValidateError()type, it can also be matched against more specific error types such asTokenExpierdError()usingerrors.Is -
jwt.ErrMissingRequiredClaimhas been removed
JWS
-
Iterators have been completely removed.
-
As a side effect of removing iterators, some methods such as
Copy()lost thecontext.Contextargument -
All convenience accessors (e.g.
Algorithm) now return(T, bool)instead of justT. If you want a single return value accessor, useGet(dst) errorinstead. -
Errors from
jws.Signandjws.Verify, as well asjws.Parse(and friends) can now be differentiated by usingerrors.Is. Alljws.IsXXXXErrorfunctions have been removed.
JWE
-
Iterators have been completely removed.
-
As a side effect of removing iterators, some methods such as
Copy()lost thecontext.Contextargument -
All convenience accessors (e.g.
Algorithm) now return(T, bool)instead of justT. If you want a single return value accessor, useGet(dst) errorinstead. -
Errors from
jwe.Decryptandjwe.Encrypt, as well asjwe.Parse(and friends) can now be differentiated by usingerrors.Is. Alljwe.IsXXXXrrorfunctions have been removed.
JWK
-
All convenience accessors (e.g.
Algorithm,Crv) now return(T, bool)instead of justT, exceptKeyType, which always returns a valid value. If you want a single return value accessor, useGet(dst) errorinstead. -
jwk.KeyUsageTypecan now be configured so that it's possible to assign values other than "sig" and "enc" viajwk.RegisterKeyUsage(). Furthermore, strict checks can be turned on/off against these registered values -
jwk.Cachehas been completely re-worked based on github.com/lestrrat-go/httprc/v3. In particular, the default whitelist mode has changed from "block everything" to "allow everything". -
Experimental secp256k1 encoding/decoding for PEM encoded ASN.1 DER Format has been removed. Instead,
jwk.PEMDecoderandjwk.PEMEncoderhave been added to support those who want to perform non-standard PEM encoding/decoding -
Iterators have been completely removed.
-
jwk/x25519has been removed. To use X25519 keys, use(crypto/ecdh).PrivateKeyand(crypto/ecdh).PublicKey. Similarly, internals have been reworked to usecrypto/ecdh -
Parsing has completely been reworked. It is now possible to add your own
jwk.KeyParserto generate a customjwk.Keythat this library may not natively support. Also seejwk.RegisterKeyParser() -
jwk.KeyProbehas been added to aid probing the JSON message. This is used to guess the type of key described in the JSON message before deciding which concrete type to instantiate, and aids implementing your ownjwk.KeyParser. Also seejwk.RegisterKeyProbe() -
Conversion between raw keys and
jwk.Keycan be customized usingjwk.KeyImporterandjwk.KeyExporter. Also seejwk.RegisterKeyImporter()andjwk.RegisterKeyExporter() -
Added
jwk/ecdsato keep track of which curves are available for ECDSA keys. -
(jwk.Key).Raw()has been deprecated. Usejwk.Export()instead to convertjwk.Keyobjects into their "raw" versions (e.g.*rsa.PrivateKey,*ecdsa.PrivateKey, etc). This is to allow third parties to register custom key types that this library does not natively support: Whereas a method must be bound to an object, and thus does not necessarily have a way to hook into a global settings (i.e. custom exporter/importer) for arbitrary key types, if the entrypoint is a function it's much easier and cleaner to for third-parties to take advantage and hook into the mechanisms. -
jwk.FromRaw()has been derepcated. Usejwk.Import()instead to convert "raw" keys (e.g.*rsa.PrivateKEy,*Ecdsa.PrivateKey, etc) intjwk.Keys. -
(jwk.Key).FromRaw()has been deprecated. The method(jwk.Key).Import()still exist for built-in types, but it is no longer part of any public API (interface{}). -
jwk.Fetchis marked as a simple wrapper aroundnet/httpandjwk.Parse. -
jwk.SetGlobalFetcherhas been deprecated. -
jwk.Fetcherhas been clearly marked as something that has limited usage forjws.WithVerifyAuto -
jwk.Keywith P256/P386/P521 curves can be exporrted toecdh.PrivateKey/ecdh.PublicKey