Insecure library for an insecure format

Go to file

Aydin Mercan fa79a9a7bc readme: add ci badge and goals clarification As everyone is aware you don't need JWTs for OAuth. However, OIDC requires them which is a main target, alongside almost every non-OIDC (unfortunately) using JWT. Furthermore, despite being labeled under "signatures" in the standard, MACs aren't a goal in this library.		2021-12-04 12:12:13 +03:00
.github/workflows	ci/github: fix typo	2021-11-02 10:50:03 +03:00
internal/publickey	jwk, internal/publickey: unmarshal -> decode	2021-12-04 10:55:00 +03:00
jwk	jwk, internal/publickey: unmarshal -> decode	2021-12-04 10:55:00 +03:00
LICENSE	initial commit	2021-11-02 10:43:52 +03:00
README.md	readme: add ci badge and goals clarification	2021-12-04 12:12:13 +03:00
flake.lock	nix: add nix flake	2021-11-08 15:44:10 +03:00
flake.nix	nix: add nix flake	2021-11-08 15:44:10 +03:00
go.mod	mod: update dependency	2021-12-04 11:50:25 +03:00
go.sum	internal/publickey: move from public jwk add tests	2021-11-03 20:41:03 +03:00

README.md

Dumb JOSE

Insecure library for a set of insecure formats. It aims to provide inflexible verification for cases where you unfortunately can't avoid touching JWT.

Requirements

Go >= 1.17

Disclaimer

Don't use JWT. You don't need me to tell you about it. Likewise, you shouldn't need me to tell you that you shouldn't use this library.

Goals

Just enough JWT for people to speak commonly encountered OAuth 2.0 (esp. with OIDC) and alike.
Don't allow for any of the sharp edges.
Allow for binding domain parameters as much as possible to the public keys.
Extensive test coverage even if a particular case seems pedantic, guaranteed to be handled properly and/or improbable to be problematic.

Non-Goals

Signing capabilities.
Anything that has to do with encryption, key exchange or MACs.
Be 100% compliant with the standard.

License

This repository is licensed under the BSD-3-Clause. Refer to LICENSE for more information.