Address vulnerable jwt-go dependency

[xntrik]

Hi folks,

This package currently depends on https://github.com/dgrijalva/ that has an un-patched security vulnerability. There are more details in:

• The initial bug report Security Vulnerability: failed type assertion leads to bypassing Audience verification dgrijalva/jwt-go#422
• A proposed PR Fix security issue with aud validation dgrijalva/jwt-go#429
• Ongoing conversation where they're trying to get support to merge this in High Severity Security Vulnerability - Access Restriction Bypass dgrijalva/jwt-go#428

I'm wondering whether it's possible to update adal to use another package (it seems a few places are moving to https://github.com/square/go-jose), or perhaps a fixed fork of jwt-go (https://github.com/form3tech-oss/jwt-go/)

Thanks!

[jhendrixMSFT]

Thanks for bringing this to my attention.

I looked at our usage of jwt-go, we only use it for signing a JWT with a certificate's private key so I believe we're not affected by this issue.

Given our limited reliance on this package it might be better to simply remove it entirely (that's what we did for track 2). I'm looking into this.

[xntrik]

Awesome @jhendrixMSFT - thank you so much for the response

[jhendrixMSFT]

Fixed in module autorest/adal/v0.9.5