Switch to maintained go-jose library

[liggitt]

This allows consumers of the v2 stream to pick up the fix for https://pkg.go.dev/vuln/GO-2024-2631

Switching to v3 changes token generation (due to changes in go-jose) in ways that make it difficult to update without visible behavior changes. Without this, Kubernetes may have to fork the v2 branch of this dependency to update to go-jose. cc @dims for visibility (xref kubernetes/kubernetes#129732 (comment))

The TMP commits would be dropped and are only there to demonstrate the effective diff in the dependency.

After review, the TMP commits would be dropped and this could be merged and tagged as v2.3.0, etc

• The Switch to maintained gopkg.in/go-jose/go-jose.v2 library commit is the only change intended to be merged (only switches import paths for the go-jose library)
• The TMP: revendor to show effective dependency diff commit shows the actual dependency change

[dims]

thanks @liggitt

[liggitt]

cc @ericchiang

[ericchiang]

Thanks! let me fix up the CI first, then will merge

For the breaking changes

Switching to v3 changes token generation (due to changes in go-jose) in ways that make it difficult to update without visible behavior changes

I'm aware of stricter parsing of base64 encodings (#422 (comment)), but is there anything else you're seeing?

[dims]

@ericchiang thanks for the quick response! we saw this as well - payload changes needed in unit tests - kubernetes/kubernetes#123649 (comment)

[ericchiang]

Thanks, will take a look when I get a change.

If you rebase over #448 you should be good to go, and I can tag a release

[ericchiang]

Last time we did this we broke imports of this branch.

#230
#231

I don't know if that's changed in the upstream Go tooling since then.

[liggitt]

all the go.mod and vendor bits are in TMP commits I would drop before we merge this, I just included those so we could actually see the effective change in the dependency code the square → go-jose change would make

if you're done looking at the vendor change, I'll drop those commits out completely

[liggitt]

I agree we don't want to add go.mod to the v2 branch

[liggitt]

done, dropping TMP commits

[ericchiang]

For my own reference, the changes to the kubernetes tests are based on their usage of go-jose's JWT library to generate tokens. go-oidc doesn't support creation of ID Tokens, and handles these encoding differences fine, so there shouldn't be any observable changes to other go-oidc users.

kubernetes/kubernetes#129732 (comment)

[ericchiang]

Tagged https://github.com/coreos/go-oidc/releases/tag/v2.3.0

[dims]

thanks @ericchiang !

[liggitt]

thanks so much, appreciate it