Migrate from go-jose/v3 to go-jose/v4

[adityab-datadog]

Summary

Migrate all go-jose dependencies from v3 to v4 for better security and to keep dependencies up to date.

Changes

• Import Updates: Replaced all github.com/go-jose/go-jose/v3 imports with v4 across 25 files
• Algorithm Specification: Updated all jwt.ParseSigned() calls to explicitly specify allowed algorithms:
  • RSA: RS256, RS384, RS512, PS256, PS384, PS512
  • ECDSA: ES256, ES384, ES512
  • HMAC: HS256, HS384, HS512
  • EdDSA
  • None (for unsigned tokens in tests)
• Method Rename: Updated CompactSerialize() to Serialize() per v4 API changes
• Dependency Cleanup: Removed v3 dependency from go.mod

Breaking Changes Handled

1. ParseSigned API: v4 requires explicit algorithm specification to prevent algorithm confusion attacks
2. Method Rename: CompactSerialize() → Serialize()

Testing

• All packages build successfully
• JWT tests pass
• Integration tests pass

Notes

The algorithm list currently includes all common algorithms for backward compatibility. This may be restricted in future updates for enhanced security based on specific use case requirements.

Summary by CodeRabbit

Release Notes

• Chores

  • Go toolchain updated from 1.22 to 1.24.0 with compiler version 1.24.6
  • JOSE/JWT cryptographic library upgraded from v3 to v4
  • JWT token signing and parsing mechanisms updated to align with new library version

• Tests

  • All test suites updated to use JOSE/JWT v4 library

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e15d72d6-2184-4fba-a9ce-e07690685ddb

📥 Commits

Reviewing files that changed from the base of the PR and between a5f0b09 and dfa29b8.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (24)

• authorize_request_handler.go
• authorize_request_handler_oidc_request_test.go
• client.go
• client_authentication.go
• client_authentication_jwks_strategy.go
• client_authentication_jwks_strategy_test.go
• client_authentication_test.go
• go.mod
• handler/rfc7523/handler.go
• handler/rfc7523/handler_test.go
• handler/rfc7523/storage.go
• integration/authorize_jwt_bearer_required_iat_test.go
• integration/authorize_jwt_bearer_required_jti_test.go
• integration/authorize_jwt_bearer_test.go
• integration/clients/jwt_bearer.go
• integration/helper_setup_test.go
• integration/introspect_jwt_bearer_token_test.go
• internal/oauth2_auth_jwt_storage.go
• storage/memory.go
• token/jwt/jwt.go
• token/jwt/jwt_test.go
• token/jwt/map_claims.go
• token/jwt/token.go
• token/jwt/token_test.go

---

📝 Walkthrough

Walkthrough

Upgrades the go-jose dependency from v3 to v4 across all source and test files, bumps the Go toolchain to 1.24, and adapts to the v4 API: jwt.ParseSigned now requires an explicit algorithm allowlist in token/jwt/token.go and handler/rfc7523/handler.go, and CompactSerialize() is replaced with Serialize() in signing paths.

Changes

go-jose v3 → v4 Upgrade

Layer / File(s)	Summary
go.mod: dependency and toolchain bumps go.mod	Replaces go-jose/v3 v3.0.3 with go-jose/v4 v4.1.4, bumps Go from 1.22 to 1.24.0, and toolchain from go1.23.1 to go1.24.6.
token/jwt: algorithm allowlist and Serialize() migration token/jwt/token.go, token/jwt/map_claims.go, token/jwt/jwt.go, token/jwt/token_test.go, token/jwt/jwt_test.go	ParseWithClaims now builds an explicit algorithm allowlist (RS*, ES*, PS*, HS*, EdDSA, none) and passes it to jwt.ParseSigned; SignedString switches from CompactSerialize() to Serialize(); map_claims.go switches jjson alias to v4 JSON package; tests add the matching allowlist to their jwt.ParseSigned calls.
handler/rfc7523: algorithm allowlist in assertion parsing handler/rfc7523/handler.go, handler/rfc7523/storage.go, handler/rfc7523/handler_test.go	HandleTokenEndpointRequest passes an explicit algorithm allowlist to jwt.ParseSigned for the assertion parameter; createTestAssertion in tests switches to Serialize().
integration/clients: Serialize() migration integration/clients/jwt_bearer.go	GetToken switches JWT assertion serialization from CompactSerialize() to Serialize().
Import-only sweep across remaining files authorize_request_handler.go, client.go, client_authentication.go, client_authentication_jwks_strategy.go, internal/oauth2_auth_jwt_storage.go, storage/memory.go, authorize_request_handler_oidc_request_test.go, client_authentication_*.go, integration/.../*_test.go	All remaining source and test files update their go-jose import path from /v3 to /v4 with no other logic changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}