Upgrade go-jose from v2 to v4

[jamestelfer]

Checklist

• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have upgraded to the latest version of this SDK and the issue still persists.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

This was previously addressed in #239, but I think this issue might need to be reopened.

On main, the "Versions" section says:

The old square/go-jose repo contains the prior v1 and v2 versions, which are still useable but not actively developed anymore.

Now, a version 2.6.3 was released in March owing to a security vulnerability, so it's possible that some security issues will be backported.

However, the security policy states clearly that only v3 and v4 are supported versions.

It would be good to investigate an upgrade, given the stability and security improvements since v2.

Reproduction

go.mod references go-jose v2.x

Go JWT Middleware version

2.2.1

Go version

1.22

[maxime-gaudron]

@sergiught Hello, mentioning you as the main contributor of the repo.
As Auth0 clients we're facing the same issue and as we're working in a regulated domain it's a bit sensitive for us.
Would there be any chance you could look at this?
Thank you!

[pat-git023]

is there any update on this?
since go-jose 2.x has reached end-of-live we also get security warnings and need to react on that.
any chance that the open PR #275 will be merged in a timely manner?

Thank you very much

[cantutar]

Im absolutely agreed with above users. Please update the dependecy it has a security vulnerability.

[sergiught]

Hey folks, apologies for the delay as I have missed getting notified on this. Unfortunately I am no longer a maintainer of this project as I have transitioned to a new team, however I've immediately alerted the owning team and it will be looked at ASAP.

CC: @developerkunal, @arpit-jn

[developerkunal]

Hey folks,
I apologize for the delay in addressing this vulnerability; it was unfortunately overlooked. At this time, we're unable to upgrade to JoseV4 due to the breaking changes it would introduce, which would require a major version release. However, I’ve already scheduled improvements and version upgrades that will be included in an upcoming major release.

In the meantime, we’ve released a security patch to address the issue. If you encounter any further problems, please don’t hesitate to tag me or open a new issue, and I’ll respond as quickly as possible.

Thank you for your understanding.

[abiabsurd]

What's the timeline for the upcoming major release that will include this support for jose v4? Anything contributors can help with?

[JoseAlban]

My team would benefit from the https://github.com/go-jose/go-jose/pull/81/files changes from v4
as Auth0 sometimes produces an array of strings and sometimes a single string for the aud claim,
and that's breaking in our use case for Auth0 M2M tokens

invalid auth0 token: failed to validate token: failed to deserialize token claims: could not get token claims: json: cannot unmarshal string into Go value of type []string