distribution/registry/auth/token
Milos Gajdos 52d68216c0
feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
..
accesscontroller.go feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00
accesscontroller_test.go Fix: ‘autoRedirect’ hardcode ‘https’ scheme 2024-03-05 20:50:09 +08:00
fuzz_test.go feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00
stringset.go Move auth package under registry package 2015-02-10 17:34:04 -08:00
token.go feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00
token_test.go feature: Bump go-jose and require signing algorithms in auth 2024-05-30 20:44:35 +01:00
types.go refactor: rename WeakStringList to AudienceList 2022-10-21 11:11:50 +02:00
types_test.go registry/auth/token: fix the surrounding loop is unconditionally terminate 2023-05-09 16:04:17 +02:00
util.go feat: replace docker/libtrust with go-jose/go-jose 2023-10-19 15:32:59 +01:00