chore: upgrade to jose v4 library

authorize_request_handler.go

@@ -10,7 +10,7 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/fosite/i18n"

authorize_request_handler_oidc_request_test.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/pkg/errors"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 

client.go

@@ -4,7 +4,7 @@
 package fosite
 
 import (
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 )
 
 // Client represents a client or an app.

client_authentication.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/ory/x/errorsx"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/pkg/errors"
 
 	"github.com/ory/fosite/token/jwt"

client_authentication_jwks_strategy.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/ory/x/errorsx"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 )
 
 const defaultJWKSFetcherStrategyCachePrefix = "github.com/ory/fosite.DefaultJWKSFetcherStrategy:"

client_authentication_jwks_strategy_test.go

@@ -17,7 +17,7 @@ import (
 
 	"github.com/ory/fosite/internal/gen"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

client_authentication_test.go

@@ -20,7 +20,7 @@ import (
 
 	"github.com/ory/fosite/internal/gen"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
 	github.com/cristalhq/jwt/v4 v4.0.2
 	github.com/dgraph-io/ristretto v0.1.1
-	github.com/go-jose/go-jose/v3 v3.0.3
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
@@ -25,13 +25,13 @@ require (
 	github.com/ory/x v0.0.575
 	github.com/parnurzeal/gorequest v0.2.15
 	github.com/pkg/errors v0.9.1
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/tidwall/gjson v1.14.3
 	go.opentelemetry.io/otel/trace v1.16.0
-	golang.org/x/crypto v0.21.0
-	golang.org/x/net v0.23.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/net v0.25.0
 	golang.org/x/oauth2 v0.10.0
-	golang.org/x/text v0.14.0
+	golang.org/x/text v0.16.0
 )
 
 require (
@@ -83,9 +83,9 @@ require (
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.16.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/tools v0.11.1 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230731193218-e0aa005b6bdf // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230731193218-e0aa005b6bdf // indirect
@@ -96,4 +96,6 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.20
+go 1.21
+
+toolchain go1.23.1

handler/rfc7523/handler.go

@@ -10,10 +10,11 @@ import (
 
 	"github.com/ory/fosite/handler/oauth2"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 
 	"github.com/ory/fosite"
+	fositeJWT "github.com/ory/fosite/token/jwt"
 	"github.com/ory/x/errorsx"
 )
 
@@ -51,7 +52,7 @@ func (c *Handler) HandleTokenEndpointRequest(ctx context.Context, request fosite
 		return errorsx.WithStack(fosite.ErrInvalidRequest.WithHintf("The assertion request parameter must be set when using grant_type of '%s'.", grantTypeJWTBearer))
 	}
 
-	token, err := jwt.ParseSigned(assertion)
+	token, err := jwt.ParseSigned(assertion, fositeJWT.SupportedSignatureAlgorithms)
 	if err != nil {
 		return errorsx.WithStack(fosite.ErrInvalidGrant.
 			WithHint("Unable to parse JSON Web Token passed in \"assertion\" request parameter.").

handler/rfc7523/handler_test.go

@@ -18,8 +18,8 @@ import (
 
 	"github.com/ory/fosite/handler/oauth2"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/suite"
 
@@ -760,7 +760,7 @@ func (s *AuthorizeJWTGrantRequestHandlerTestSuite) createTestAssertion(cl jwt.Cl
 		s.FailNowf("failed to create test assertion", "failed to create signer: %s", err.Error())
 	}
 
-	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+	raw, err := jwt.Signed(sig).Claims(cl).Serialize()
 	if err != nil {
 		s.FailNowf("failed to create test assertion", "failed to sign assertion: %s", err.Error())
 	}

handler/rfc7523/storage.go

@@ -7,7 +7,7 @@ import (
 	"context"
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 )
 
 // RFC7523KeyStorage holds information needed to validate jwt assertion in authorization grants.

integration/authorize_jwt_bearer_required_iat_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"

integration/authorize_jwt_bearer_required_jti_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"

integration/authorize_jwt_bearer_test.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"

integration/clients/jwt_bearer.go

@@ -12,8 +12,8 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 )
 
 // #nosec:gosec G101 - False Positive
@@ -69,7 +69,7 @@ func (c *JWTBearer) GetToken(ctx context.Context, payloadData *JWTBearerPayload,
 		Claims(payloadData.Claims).
 		Claims(payloadData.PrivateClaims)
 
-	assertion, err := builder.CompactSerialize()
+	assertion, err := builder.Serialize()
 	if err != nil {
 		return nil, err
 	}

integration/helper_setup_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/ory/fosite/internal"
 	"github.com/ory/fosite/internal/gen"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/gorilla/mux"
 	goauth "golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"

integration/introspect_jwt_bearer_token_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 

storage/memory.go

@@ -9,7 +9,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/internal"

token/jwt/jwt.go

@@ -14,7 +14,7 @@ import (
 	"crypto/sha256"
 	"strings"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 
 	"github.com/ory/x/errorsx"
 

token/jwt/jwt_test.go

@@ -10,7 +10,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v4"
 
 	"github.com/ory/fosite/internal/gen"
 

token/jwt/map_claims.go

@@ -10,7 +10,7 @@ import (
 	"errors"
 	"time"
 
-	jjson "github.com/go-jose/go-jose/v3/json"
+	jjson "github.com/go-jose/go-jose/v4/json"
 
 	"github.com/ory/x/errorsx"
 )

token/jwt/token.go

@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"reflect"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 
 	"github.com/ory/x/errorsx"
 )
@@ -37,6 +37,12 @@ const (
 	JWTHeaderTypeValue = "JWT"
 )
 
+var SupportedSignatureAlgorithms = []jose.SignatureAlgorithm{
+	SigningMethodNone,
+	jose.EdDSA, jose.HS256, jose.HS384, jose.HS512, jose.RS256, jose.RS384,
+	jose.RS512, jose.ES256, jose.ES384, jose.ES512, jose.PS256, jose.PS384, jose.PS512,
+}
+
 type unsafeNoneMagicConstant string
 
 // Valid informs if the token was verified against a given verification key
@@ -96,10 +102,10 @@ func (t *Token) SignedString(k interface{}) (rawToken string, err error) {
 
 	// A explicit conversion from type alias MapClaims
 	// to map[string]interface{} is required because the
-	// go-jose CompactSerialize() only support explicit maps
+	// go-jose Serialize() only support explicit maps
 	// as claims or structs but not type aliases from maps.
 	claims := map[string]interface{}(t.Claims)
-	rawToken, err = jwt.Signed(signer).Claims(claims).CompactSerialize()
+	rawToken, err = jwt.Signed(signer).Claims(claims).Serialize()
 	if err != nil {
 		err = &ValidationError{Errors: ValidationErrorClaimsInvalid, Inner: err}
 		return
@@ -163,7 +169,7 @@ func Parse(tokenString string, keyFunc Keyfunc) (*Token, error) {
 // If everything is kosher, err will be nil
 func ParseWithClaims(rawToken string, claims MapClaims, keyFunc Keyfunc) (*Token, error) {
 	// Parse the token.
-	parsedToken, err := jwt.ParseSigned(rawToken)
+	parsedToken, err := jwt.ParseSigned(rawToken, SupportedSignatureAlgorithms)
 	if err != nil {
 		return &Token{}, &ValidationError{Errors: ValidationErrorMalformed, text: err.Error()}
 	}

token/jwt/token_test.go

@@ -15,8 +15,8 @@ import (
 
 	"github.com/ory/fosite/internal/gen"
 
-	"github.com/go-jose/go-jose/v3"
-	"github.com/go-jose/go-jose/v3/jwt"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -54,7 +54,7 @@ func TestUnsignedToken(t *testing.T) {
 			parts := strings.Split(rawToken, ".")
 			require.Len(t, parts, 3)
 			require.Empty(t, parts[2])
-			tk, err := jwt.ParseSigned(rawToken)
+			tk, err := jwt.ParseSigned(rawToken, SupportedSignatureAlgorithms)
 			require.NoError(t, err)
 			require.Len(t, tk.Headers, 1)
 			require.Equal(t, tc.expectedType, tk.Headers[0].ExtraHeaders[jose.HeaderKey("typ")])
@@ -82,7 +82,7 @@ func TestJWTHeaders(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			rawToken := makeSampleTokenWithCustomHeaders(nil, jose.RS256, tc.jwtHeaders, gen.MustRSAKey())
-			tk, err := jwt.ParseSigned(rawToken)
+			tk, err := jwt.ParseSigned(rawToken, SupportedSignatureAlgorithms)
 			require.NoError(t, err)
 			require.Len(t, tk.Headers, 1)
 			require.Equal(t, tk.Headers[0].Algorithm, "RS256")