Lots of usability improvements around jwt.Parse() and jwt.Validate() !
v1.2.7 26 Sep 2021
[New features]
* `jwt.InferAlgorithmFromKey()` option is now available to "guess"
the algorithm used to verify the JWS signature on a JWT using
a JWKS (key set). This allows you to match JWKs that do not have
the `alg` field populated.
We understand that some providers do not provide the `alg` field,
which is a nuisance to users. But from a purely security minded PoV,
we don't think that this "try until something works" approach is a
good one, even if there are no known exploits. This is why the
default `jwt.Parse` mechanism is unchanged, and an explicit option
has been added.
* Types `jwt.KeySetProvider` and `jwk.KeySetProviderFunc` have been
added. Along with `jwt.WithKeySetProvider()` option, `jwt.Parse`
can now choose the `jwk.Set` to use for signature verification
dynamically using the UNVERFIEID token as a clue.
You should NOT trust the token information too much. For example,
DO NOT directly use values from the token as verificatin parameters
(such as the signature algorithm)
* `jwt.WithValidator()` has been added to allow users pass in aribtrary
validation code to the `jwt.Validate()` method.
It is also now possible to pass in a `context.Context` object to
`jwt.Validate()` using `jwt.WithContext()` option.