feat: upgrade golang-jwt version for apple provider (#583)

Author: burkayanduv

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/go-chi/chi/v5 v5.1.0
-	github.com/golang-jwt/jwt/v4 v4.2.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/gorilla/mux v1.6.2
 	github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1
 	github.com/gorilla/sessions v1.1.1

go.sum

@@ -13,8 +13,8 @@ github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
-github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=

providers/apple/apple.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/markbates/goth"
 	"golang.org/x/oauth2"
 )

providers/apple/session.go

@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/markbates/goth"
 	"golang.org/x/oauth2"
@@ -48,7 +48,7 @@ func (s Session) Marshal() string {
 }
 
 type IDTokenClaims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	AccessTokenHash string     `json:"at_hash"`
 	AuthTime        int        `json:"auth_time"`
 	Email           string     `json:"email"`
@@ -80,27 +80,18 @@ func (s *Session) Authorize(provider goth.Provider, params goth.Params) (string,
 		idToken, err := jwt.ParseWithClaims(idToken.(string), &IDTokenClaims{}, func(t *jwt.Token) (interface{}, error) {
 			kid := t.Header["kid"].(string)
 			claims := t.Claims.(*IDTokenClaims)
-			vErr := new(jwt.ValidationError)
-			if !claims.VerifyAudience(p.clientId, true) {
-				vErr.Inner = fmt.Errorf("audience is incorrect")
-				vErr.Errors |= jwt.ValidationErrorAudience
-			}
-			if !claims.VerifyIssuer(AppleAudOrIss, true) {
-				vErr.Inner = fmt.Errorf("issuer is incorrect")
-				vErr.Errors |= jwt.ValidationErrorIssuer
-			}
-			if vErr.Errors > 0 {
-				return nil, vErr
+			validator := jwt.NewValidator(jwt.WithAudience(p.clientId), jwt.WithIssuer(AppleAudOrIss))
+			err := validator.Validate(claims)
+			if err != nil {
+				return nil, err
 			}
 
 			// per OpenID Connect Core 1.0 §3.2.2.9, Access Token Validation
 			hash := sha256.Sum256([]byte(s.AccessToken))
 			halfHash := hash[0:(len(hash) / 2)]
 			encodedHalfHash := base64.RawURLEncoding.EncodeToString(halfHash)
 			if encodedHalfHash != claims.AccessTokenHash {
-				vErr.Inner = fmt.Errorf(`identity token invalid`)
-				vErr.Errors |= jwt.ValidationErrorClaimsInvalid
-				return nil, vErr
+				return nil, fmt.Errorf(`identity token invalid`)
 			}
 
 			// get the public key for verifying the identity token signature