[keycloak-dev] [keycloak-gatekeeper][KEYCLOAK-7175] upgrade from coreos/go-oidc.v1

Bruno Oliveira bruno at abstractj.org
Mon Jan 14 04:52:39 EST 2019 


On 2019-01-14, Stian Thorgersen wrote:
> Bruno - can you reply to this please?

Of course, we discussed this some time ago https://github.com/keycloak/keycloak-gatekeeper/pull/407#issuecomment-409207544. But just in case, it was missed, I'm adding some answers/questions inline.

> 
> On Tue, 8 Jan 2019 at 15:19, BIDON Frederic <fredbi at yahoo.com> wrote:
> 
> >
> > Relying on a stale package such as `github.com/coreos/go-oidc.v1`
> > <http://github.com/coreos/go-oidc.v1> is really annoying for a security
> > product.

Hi Frederic, I understand your concern, if you found some
security issue, please do not hesitate to send us an e-mail to
keycloak-security mailing list with all the details https://www.keycloak.org/security.html.

We had to remove all the forks from gambol99 repository and move to the official repositories. Do a full upgrade of dependencies would take a considerable time, due to the break of API compatibility.

That's the reason why we decided to postpone it. 

> >
> > Moreover, this library has no support for tokens with an EC signature.

You are correct, that's our plan to upgrade all the dependencies soon.

> >
> > I've tried a bit to remove this but I felt like the choice of a proper
> > library should be discussed.
> >
> > Here is my two cents:
> >
> >    - coreos/go-oidc.v2 does not add much compared to stdlib `x/oauth2`:
> > there is remote JWKS fetcher which might be useful, although this is in
> > fact `square/go-jose` that does the heavy lifting here
> >    - I found `square/go-jose` good enough for JWK and JWKS, but rather
> > unpractical for JWT. I found `dgrijalva/jwt-go` much handier when it comes
> > to manipulate JWT

Could you please elaborate more on why do you think it's unpractical?

> >
> > Any ideas / challenges around for a proper choice of dependencies here?

The initial idea is to upgrade the following dependencies:

* From coreos/go-oidc/oauth2 to golang/x/oauth2
* From coreos/go-oidc/jose to square/go-jose
* From coreos/go-oidc/oidc to coreos/go-oidc (v2)

Also, the work on this was not started yet, so absolutely nothing is set in stone.

> >
> > Cheers,
> >
> > Frédéric
> >   frederic.bidon at yahoo.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 

abstractj

More information about the keycloak-dev mailing list