Based on #3934, we need to make the auth library clean of security warnings. This is currently being caused mainly by the id token feature (more specifically the id token verification feature), which pull the jsonwebtoken crate, which has rsa in it's dependency chain. Vulnerability report: https://rustsec.org/advisories/RUSTSEC-2023-0071
We also include rsa as dev-dependency for tests, to generate a real certificate based on some test prime numbers. I think we can replace this with ring https://docs.rs/ring/latest/ring/rsa/struct.KeyPair.html#method.from_components. We already use ring as a crypto provider in the rustls crate.
Current plan:
Based on #3934, we need to make the auth library clean of security warnings. This is currently being caused mainly by the id token feature (more specifically the id token verification feature), which pull the
jsonwebtokencrate, which hasrsain it's dependency chain. Vulnerability report: https://rustsec.org/advisories/RUSTSEC-2023-0071We also include
rsaas dev-dependency for tests, to generate a real certificate based on some test prime numbers. I think we can replace this withringhttps://docs.rs/ring/latest/ring/rsa/struct.KeyPair.html#method.from_components. We already useringas a crypto provider in therustlscrate.Current plan:
idtokenbehind a rust feature. impl(auth): make idtoken a feature #3961UseWe are gonna wait foraws_lcbackend instead ofrust_cryptoforjsonwebtoken. This removes dependency onrsa, but customers don't like theaws_lcbackend, since is not written in pure rust, so this is just temporary and gated behind theidtokenfeature. impl(auth): change jsonwebtoken crypto provider #3962rsato be fixed. For the time being,idtokenis gated behind a feature.rsausage withringfor tests.jsonwebtoken. We don't have a candidate crate yet, but maybe some code can be written to check for signatures usingring. refactor(auth): move from jsonwebtoken crate to biscuit #3960