Skip to content

fix(deps): update module github.com/auth0/go-jwt-middleware to v3 #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
self-hosted-renovatebot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update module github.com/auth0/go-jwt-middleware to v3 #308

self-hosted-renovatebot wants to merge 1 commit into from

Conversation

@self-hosted-renovatebot
Copy link
Contributor

@self-hosted-renovatebot self-hosted-renovatebot bot commented Jan 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/auth0/go-jwt-middleware v0.0.0-20200810150920-a32d7af194d1v3.0.0 age confidence

Release Notes

auth0/go-jwt-middleware (github.com/auth0/go-jwt-middleware)

v3.0.0

Compare Source

Full Changelog

BEFORE YOU UPGRADE

  • This is a major release that includes breaking changes. Please see MIGRATION_GUIDE.md before upgrading. This release will require changes to your application.
Added
  • Pure options pattern for validator, middleware, and JWKS provider (#​357, #​358, #​360)
  • DPoP (Demonstrating Proof-of-Possession) support per RFC 9449 (#​363)
  • Framework-agnostic core package for reusable validation logic (#​356)
  • Type-safe claims retrieval with generics (GetClaims[T](), MustGetClaims[T](), HasClaims())
  • Structured logging support compatible with log/slog
  • Support for 14 signature algorithms (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, ES256K, EdDSA)
  • Enhanced error responses with RFC 6750 compliance
  • Trusted proxy configuration for DPoP behind reverse proxies
  • Multiple issuer and audience support with new APIs
  • Documentation and linting configuration (#​361)
Changed
  • Migrated from square/go-jose to lestrrat-go/jwx v3 (#​358)
  • Module path updated to github.com/auth0/go-jwt-middleware/v3 (#​355)
  • Minimum Go version updated to 1.24 (#​355)
  • Update examples for v3 module path and new APIs
Breaking
  • Pure options pattern: All constructors (New()) now require functional options instead of positional parameters
  • Context key: ContextKey{} is no longer exported - use GetClaims[T]() helper function
  • Custom claims now use generics for type safety
  • TokenExtractor returns ExtractedToken (with scheme) instead of string
  • Type naming: ExclusionUrlHandler renamed to ExclusionURLHandler
Migration Example

v2:

// Validator with positional parameters
jwtValidator, err := validator.New(
    keyFunc,
    validator.RS256,
    "https://issuer.example.com/",
    []string{"my-api"},
)

// Middleware
middleware := jwtmiddleware.New(jwtValidator.ValidateToken)

// Claims access via context key
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)

v3:

// Validator with pure options
jwtValidator, err := validator.New(
    validator.WithKeyFunc(keyFunc),
    validator.WithAlgorithm(validator.RS256),
    validator.WithIssuer("https://issuer.example.com/"),
    validator.WithAudience("my-api"),
)

// Middleware with options
middleware, err := jwtmiddleware.New(
    jwtmiddleware.WithValidator(jwtValidator),
)

// Type-safe claims with generics
claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())

See MIGRATION_GUIDE.md for complete migration instructions.

v3.0.0-beta.0

Compare Source

Full Changelog

BEFORE YOU UPGRADE

  • This is a major release that includes breaking changes. Please see MIGRATION_GUIDE.md before upgrading. This release will require changes to your application.
Added
  • Pure options pattern for validator, middleware, and JWKS provider (#​357, #​358, #​360)
  • DPoP (Demonstrating Proof-of-Possession) support per RFC 9449 (#​363)
  • Framework-agnostic core package for reusable validation logic (#​356)
  • Type-safe claims retrieval with generics (GetClaims[T](), MustGetClaims[T](), HasClaims())
  • Structured logging support compatible with log/slog
  • Support for 14 signature algorithms (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, ES256K, EdDSA)
  • Enhanced error responses with RFC 6750 compliance
  • Trusted proxy configuration for DPoP behind reverse proxies
  • Multiple issuer and audience support with new APIs
  • Documentation and linting configuration (#​361)
Changed
  • Migrated from square/go-jose to lestrrat-go/jwx v3 (#​358)
  • Module path updated to github.com/auth0/go-jwt-middleware/v3 (#​355)
  • Minimum Go version updated to 1.24 (#​355)
  • Update examples for v3 module path and new APIs
Breaking
  • Pure options pattern: All constructors (New()) now require functional options instead of positional parameters
  • Context key: ContextKey{} is no longer exported - use GetClaims[T]() helper function
  • Custom claims now use generics for type safety
  • TokenExtractor returns ExtractedToken (with scheme) instead of string
  • Type naming: ExclusionUrlHandler renamed to ExclusionURLHandler
Migration Example

v2:

// Validator with positional parameters
jwtValidator, err := validator.New(
    keyFunc,
    validator.RS256,
    "https://issuer.example.com/",
    []string{"my-api"},
)

// Middleware
middleware := jwtmiddleware.New(jwtValidator.ValidateToken)

// Claims access via context key
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)

v3:

// Validator with pure options
jwtValidator, err := validator.New(
    validator.WithKeyFunc(keyFunc),
    validator.WithAlgorithm(validator.RS256),
    validator.WithIssuer("https://issuer.example.com/"),
    validator.WithAudience("my-api"),
)

// Middleware with options
middleware, err := jwtmiddleware.New(
    jwtmiddleware.WithValidator(jwtValidator),
)

// Type-safe claims with generics
claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())

See MIGRATION_GUIDE.md for complete migration instructions.

v2.3.1

Compare Source

Full Changelog

BEFORE YOU UPGRADE

  • This is a major release that includes breaking changes. Please see MIGRATION_GUIDE.md before upgrading. This release will require changes to your application.
Added
  • Pure options pattern for validator, middleware, and JWKS provider (#​357, #​358, #​360)
  • DPoP (Demonstrating Proof-of-Possession) support per RFC 9449 (#​363)
  • Framework-agnostic core package for reusable validation logic (#​356)
  • Type-safe claims retrieval with generics (GetClaims[T](), MustGetClaims[T](), HasClaims())
  • Structured logging support compatible with log/slog
  • Support for 14 signature algorithms (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, ES256K, EdDSA)
  • Enhanced error responses with RFC 6750 compliance
  • Trusted proxy configuration for DPoP behind reverse proxies
  • Multiple issuer and audience support with new APIs
  • Documentation and linting configuration (#​361)
Changed
  • Migrated from square/go-jose to lestrrat-go/jwx v3 (#​358)
  • Module path updated to github.com/auth0/go-jwt-middleware/v3 (#​355)
  • Minimum Go version updated to 1.24 (#​355)
  • Update examples for v3 module path and new APIs
Breaking
  • Pure options pattern: All constructors (New()) now require functional options instead of positional parameters
  • Context key: ContextKey{} is no longer exported - use GetClaims[T]() helper function
  • Custom claims now use generics for type safety
  • TokenExtractor returns ExtractedToken (with scheme) instead of string
  • Type naming: ExclusionUrlHandler renamed to ExclusionURLHandler
Migration Example

v2:

// Validator with positional parameters
jwtValidator, err := validator.New(
    keyFunc,
    validator.RS256,
    "https://issuer.example.com/",
    []string{"my-api"},
)

// Middleware
middleware := jwtmiddleware.New(jwtValidator.ValidateToken)

// Claims access via context key
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)

v3:

// Validator with pure options
jwtValidator, err := validator.New(
    validator.WithKeyFunc(keyFunc),
    validator.WithAlgorithm(validator.RS256),
    validator.WithIssuer("https://issuer.example.com/"),
    validator.WithAudience("my-api"),
)

// Middleware with options
middleware, err := jwtmiddleware.New(
    jwtmiddleware.WithValidator(jwtValidator),
)

// Type-safe claims with generics
claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())

See MIGRATION_GUIDE.md for complete migration instructions.

v2.3.0

Compare Source

Full Changelog

Security

v2.2.2

Compare Source

Full Changelog

Added

Fixed

v2.2.1

Compare Source

Full Changelog

Security

v2.2.0

Compare Source

Full Changelog

Security

v2.1.0

Compare Source

Full Changelog

Added

Changed

  • ESD-32688: Improve locking and blocking associated with key retrieval #​225 (ewanharris)
  • Replace deprecated pkg/errors in favor of Go's standard library #​189 (molaga)
  • Replace square/go-jose with go-jose/go-jose #​188 (sergiught)
  • Fail to instantiate validator when audience is an empty string #​183 (sergiught)

v2.0.1

Compare Source

Full Changelog

Added
  • Allow setting a custom http.Client on the jwks.Provider (#​151)
  • Add example tests (#​157)
  • Add example for the gin web framework (#​175)
Fixed
  • Fix CookieTokenExtractor to not throw error when no cookie present (#​172)
  • Fix panic threat when using type-cast for customClaims in validator (#​165)
  • Fix authentication error when setting multiple audiences on validator (#​176)

v2.0.0

Compare Source

Full Changelog

Security
  • Update Crypto dependency (#​146)

v2.0.0-beta.1

Compare Source

Full Changelog

Changed
  • Improved how we pass CustomClaims to Validator for concurrent scenarios (#​134)

v2.0.0-beta

Compare Source

Full Changelog

Changed
  • Improved how we pass CustomClaims to Validator for concurrent scenarios (#​134)

v1.0.1

Compare Source

Full Changelog

BEFORE YOU UPGRADE

  • This is a major release that includes breaking changes. Please see MIGRATION_GUIDE before
    upgrading. This release will require changes to your application.
Added
Changed
  • Update docs (#​72)
  • Reorganize imports across the project
  • Reorder fields to use less memory
  • Split jwtmiddleware into multiple files
Breaking
  • Simplify JWT library functionality into an interface (#​77)
  • Rename Claims to RegisteredClaims in validator pkg
  • Refactor main middleware (#​90, #​51, #​51)
  • Write back error messages on DefaultErrorHandler
Fixed
  • Fix code smells and code style

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@self-hosted-renovatebot self-hosted-renovatebot bot requested a review from a team as a code owner January 9, 2026 10:56
@self-hosted-renovatebot
Copy link
Contributor Author

self-hosted-renovatebot bot commented Jan 9, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 5 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.23.6 -> 1.24.0
golang.org/x/crypto v0.38.0 -> v0.46.0
golang.org/x/mod v0.26.0 -> v0.30.0
golang.org/x/net v0.40.0 -> v0.47.0
golang.org/x/sys v0.33.0 -> v0.40.0
golang.org/x/text v0.28.0 -> v0.32.0

gitops-autobot-reviewer-cresta[bot]
gitops-autobot-reviewer-cresta bot approved these changes Jan 9, 2026
View reviewed changes
Copy link

@gitops-autobot-reviewer-cresta gitops-autobot-reviewer-cresta bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved: PR created by known bot user @self-hosted-renovatebot[bot]

@coderabbitai
Copy link

coderabbitai bot commented Jan 9, 2026
edited
Loading

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/github.com-auth0-go-jwt-middleware-3.x

Comment @coderabbitai help to get the list of available commands and usage tips.

@self-hosted-renovatebot self-hosted-renovatebot bot force-pushed the renovate/github.com-auth0-go-jwt-middleware-3.x branch from f0b6600 to 39978a3 Compare January 15, 2026 20:56
@self-hosted-renovatebot self-hosted-renovatebot bot force-pushed the renovate/github.com-auth0-go-jwt-middleware-3.x branch from 39978a3 to 1f68e11 Compare January 19, 2026 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gitops-autobot-reviewer-cresta gitops-autobot-reviewer-cresta[bot] gitops-autobot-reviewer-cresta[bot] approved these changes

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant