Update JWT dependency

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/codeready-toolchain/api v0.0.0-20240103194050-d5c7803671c1
 	github.com/go-logr/logr v1.2.3
 	github.com/gofrs/uuid v3.3.0+incompatible
-	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v5 v5.2.0
 	github.com/lestrrat-go/jwx v1.2.26
 	github.com/magiconair/properties v1.8.5
 	// using latest commit from 'github.com/openshift/api branch release-4.12'

go.sum

@@ -222,8 +222,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.2.0 h1:d/ix8ftRUorsN+5eMIlF4T6J8CAt9rch3My2winC1Jw=
+github.com/golang-jwt/jwt/v5 v5.2.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

pkg/test/auth/tokenmanager.go

@@ -14,7 +14,7 @@
 	"time"
 
 	uuid "github.com/gofrs/uuid"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/pkg/errors"
 )
@@ -104,14 +104,14 @@
 // WithIATClaim sets the `iat` claim in the token to generate
 func WithIATClaim(iat time.Time) ExtraClaim {
 	return func(token *jwt.Token) {
-		token.Claims.(*MyClaims).IssuedAt = iat.Unix()
+		token.Claims.(*MyClaims).IssuedAt = &jwt.NumericDate{iat}
 	}
 }
 
 // WithExpClaim sets the `exp` claim in the token to generate
 func WithExpClaim(exp time.Time) ExtraClaim {
 	return func(token *jwt.Token) {
-		token.Claims.(*MyClaims).ExpiresAt = exp.Unix()
+		token.Claims.(*MyClaims).ExpiresAt = &jwt.NumericDate{exp}
 	}
 }
 
@@ -132,7 +132,7 @@
 // WithNotBeforeClaim sets the `nbf` claim in the token to generate
 func WithNotBeforeClaim(nbf time.Time) ExtraClaim {
 	return func(token *jwt.Token) {
-		token.Claims.(*MyClaims).NotBefore = nbf.Unix()
+		token.Claims.(*MyClaims).NotBefore = &jwt.NumericDate{nbf}
 	}
 }
 
@@ -150,6 +150,13 @@
 	}
 }
 
+// WithAudClaim sets the `aud` claim in the token to generate
+func WithAudClaim(aud []string) ExtraClaim {
+	return func(token *jwt.Token) {
+		token.Claims.(*MyClaims).Audience = aud
+	}
+}
+
 // Identity is a user identity
 type Identity struct {
 	ID       uuid.UUID
@@ -216,10 +223,10 @@
 
  *****************************************************/
 
 const leeway = 5000
 
 type MyClaims struct {
-	jwt.StandardClaims
+	jwt.RegisteredClaims
 	IdentityID        string `json:"uuid,omitempty"`
 	PreferredUsername string `json:"preferred_username,omitempty"`
 	SessionState      string `json:"session_state,omitempty"`
@@ -236,23 +243,16 @@
 	AccountID         string `json:"account_id"`
 }
 
-func (c *MyClaims) Valid() error {
-	c.StandardClaims.IssuedAt -= leeway
-	err := c.StandardClaims.Valid()
-	c.StandardClaims.IssuedAt += leeway
-	return err
-}
-
 // GenerateToken generates a default token.
 func (tg *TokenManager) GenerateToken(identity Identity, kid string, extraClaims ...ExtraClaim) *jwt.Token {
 	token := jwt.New(jwt.SigningMethodRS256)
 
-	token.Claims = &MyClaims{StandardClaims: jwt.StandardClaims{
-		Id:        uuid.Must(uuid.NewV4()).String(),
-		IssuedAt:  time.Now().Unix(),
+	token.Claims = &MyClaims{RegisteredClaims: jwt.RegisteredClaims{
+		ID:        uuid.Must(uuid.NewV4()).String(),
+		IssuedAt:  jwt.NewNumericDate(time.Now()),
 		Issuer:    "codeready-toolchain",
-		ExpiresAt: time.Now().Unix() + 60*60*24*30,
-		NotBefore: 0,
+		ExpiresAt: jwt.NewNumericDate(time.Now().Add(30 * 24 * time.Hour)),
+		NotBefore: jwt.NewNumericDate(time.Time{}),
 		Subject:   identity.ID.String(),
 	},
 		IdentityID:        identity.ID.String(),
@@ -301,7 +301,7 @@
 	return tm.GenerateSignedToken(identity, e2ePrivateKID, extraClaims...)
 }
 
-// NewKeyServer creates and starts an http key server
+// NewKeyServer creates and starts a http key server
 func (tg *TokenManager) NewKeyServer() *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")

pkg/test/auth/tokenmanager_test.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	uuid "github.com/gofrs/uuid"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/require"
 	jose "gopkg.in/square/go-jose.v2"
 	"gotest.tools/assert"
@@ -137,7 +137,7 @@ func TestTokenManagerTokens(t *testing.T) {
 		claims, ok := decodedToken.Claims.(*MyClaims)
 		require.True(t, ok)
 		require.Equal(t, identity0.ID.String(), claims.Subject)
-		require.Equal(t, iatTime.Unix(), claims.IssuedAt)
+		require.Equal(t, iatTime.Unix(), claims.IssuedAt.Unix())
 	})
 	t.Run("create token with exp extra claim", func(t *testing.T) {
 		username := uuid.Must(uuid.NewV4()).String()
@@ -154,12 +154,12 @@ func TestTokenManagerTokens(t *testing.T) {
 			return &(key0.PublicKey), nil
 		})
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "token is expired by ")
+		require.EqualError(t, err, "token has invalid claims: token is expired")
 		require.False(t, decodedToken.Valid)
 		claims, ok := decodedToken.Claims.(*MyClaims)
 		require.True(t, ok)
 		require.Equal(t, identity0.ID.String(), claims.Subject)
-		require.Equal(t, expTime.Unix(), claims.ExpiresAt)
+		require.Equal(t, expTime.Unix(), claims.ExpiresAt.Unix())
 	})
 	t.Run("create token with sub extra claim", func(t *testing.T) {
 		username := uuid.Must(uuid.NewV4()).String()
@@ -200,7 +200,7 @@ func TestTokenManagerTokens(t *testing.T) {
 		claims, ok := decodedToken.Claims.(*MyClaims)
 		require.True(t, ok)
 		require.Equal(t, identity0.ID.String(), claims.Subject)
-		require.Equal(t, nbfTime.Unix(), claims.NotBefore)
+		require.Equal(t, nbfTime.Unix(), claims.NotBefore.Unix())
 	})
 	t.Run("create token with given name extra claim", func(t *testing.T) {
 		username := uuid.Must(uuid.NewV4()).String()
@@ -299,7 +299,7 @@ func TestTokenManagerTokens(t *testing.T) {
 		claims, ok := decodedToken.Claims.(*MyClaims)
 		require.True(t, ok)
 		require.Equal(t, identity0.ID.String(), claims.Subject)
-		require.Equal(t, iatTime.Unix(), claims.IssuedAt)
+		require.Equal(t, iatTime.Unix(), claims.IssuedAt.Unix())
 	})
 	t.Run("create token with original_sub extra claim", func(t *testing.T) {
 		username := uuid.Must(uuid.NewV4()).String()