Move jws to an internal repo #196
Comments
|
And there are a few non-Github importers: https://godoc.org/golang.org/x/oauth2/jws?importers |
|
Start by adding a warning notice to the top of the package doc, and then that locks down the list of people we need to responsibly notify. If anybody new comes along after the package doc, it's their fault. |
This package is not a general-use JWS implementation and should live under internal. For now, just add a warning that no new users should depend on it. Updates #196. Change-Id: I0eef273c8327a5ad26eb33a4425afcadca23494b Reviewed-on: https://go-review.googlesource.com/27692 Reviewed-by: Brad Fitzpatrick <[email protected]>
|
Given that jws.Verify is a requirement to verify ID tokens during 2-legged flows, we should keep it around. |
@rakyll is it safe to still use this package to verify id tokens? In the case of google id tokens, I only find one alternative other than maintaining my own verification implementation: To use the tokeninfo endpoint. But that is not ideal either since it requires an extra network call. |
Package jws is misleading the users that it might be a full JWS implementation even though it is a partial implementation to implement the JWT flow.
Due to the fact we promised not to break any APIs, we cannot move this package to the internal right away. Good news is that, according to the public Github usage, there are very few instances of the jws package is being imported.
We should contact to those repos and ask them to vendor the package if they would like to keep depending on it. I have no information about the usage in private repos but I assume it is not a popular package.
/cc @broady @bradfitz
The current instances of the jws use:
The text was updated successfully, but these errors were encountered: