Fix build after jwx v2 to v3 upgrade (#1367)

Signed-off-by: Juan Antonio Osorio <[email protected]>

Author: JAORMX

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-containerregistry v0.20.6
 	github.com/google/uuid v1.6.0
-	github.com/lestrrat-go/jwx/v2 v2.1.6
+	github.com/lestrrat-go/httprc/v3 v3.0.0
 	github.com/lestrrat-go/jwx/v3 v3.0.10
 	github.com/lmittmann/tint v1.1.2
 	github.com/mark3labs/mcp-go v0.37.0
@@ -153,6 +153,7 @@ require (
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
@@ -282,8 +283,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.6 // indirect
-	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0

go.sum

@@ -1271,15 +1271,14 @@ github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9T
 github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
-github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
-github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
-github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
-github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
+github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc=
+github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q=
+github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw=
 github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
+github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
 github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1591,6 +1590,8 @@ github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823 h1:s3p7
 github.com/transparency-dev/tessera v0.2.1-0.20250610150926-8ee4e93b2823/go.mod h1:Jv2IDwG1q8QNXZTaI1X6QX8s96WlJn73ka2hT1n4N5c=
 github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc=
 github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
+github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
+github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
 github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=

pkg/auth/token.go

@@ -13,7 +13,8 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/httprc/v3"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/networking"
@@ -195,10 +196,15 @@ func NewTokenValidator(ctx context.Context, config TokenValidatorConfig) (*Token
 	config.httpClient = httpClient
 
 	// Create a new JWKS client with auto-refresh
-	cache := jwk.NewCache(ctx)
+	// In jwx v3, NewCache requires an httprc.Client
+	httprcClient := httprc.NewClient(httprc.WithHTTPClient(httpClient))
+	cache, err := jwk.NewCache(ctx, httprcClient)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create JWKS cache: %w", err)
+	}
 
-	// Register the JWKS URL with the cache using custom HTTP client
-	err = cache.Register(jwksURL, jwk.WithHTTPClient(httpClient))
+	// Register the JWKS URL with the cache
+	err = cache.Register(ctx, jwksURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to register JWKS URL: %w", err)
 	}
@@ -229,9 +235,10 @@ func (v *TokenValidator) getKeyFromJWKS(ctx context.Context, token *jwt.Token) (
 	}
 
 	// Get the key set from the JWKS
-	keySet, err := v.jwksClient.Get(ctx, v.jwksURL)
+	// In jwx v3, Get is replaced with Lookup
+	keySet, err := v.jwksClient.Lookup(ctx, v.jwksURL)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get JWKS: %w", err)
+		return nil, fmt.Errorf("failed to lookup JWKS: %w", err)
 	}
 
 	// Get the key with the matching key ID
@@ -241,9 +248,10 @@ func (v *TokenValidator) getKeyFromJWKS(ctx context.Context, token *jwt.Token) (
 	}
 
 	// Get the raw key
+	// In jwx v3, Raw method is replaced with Export function
 	var rawKey interface{}
-	if err := key.Raw(&rawKey); err != nil {
-		return nil, fmt.Errorf("failed to get raw key: %w", err)
+	if err := jwk.Export(key, &rawKey); err != nil {
+		return nil, fmt.Errorf("failed to export raw key: %w", err)
 	}
 
 	return rawKey, nil

pkg/auth/token_test.go

@@ -15,7 +15,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 )
 
 const testKeyID = "test-key-1"
@@ -31,7 +31,7 @@ func TestTokenValidator(t *testing.T) {
 	publicKey := &privateKey.PublicKey
 
 	// Create a key set with the public key
-	key, err := jwk.FromRaw(publicKey)
+	key, err := jwk.Import(publicKey)
 	if err != nil {
 		t.Fatalf("Failed to create JWK from public key: %v", err)
 	}
@@ -76,7 +76,7 @@ func TestTokenValidator(t *testing.T) {
 	}
 
 	// Force a refresh of the JWKS cache
-	_, err = validator.jwksClient.Get(ctx, jwksServer.URL)
+	_, err = validator.jwksClient.Lookup(ctx, jwksServer.URL)
 	if err != nil {
 		t.Fatalf("Failed to refresh JWKS cache: %v", err)
 	}
@@ -173,7 +173,7 @@ func TestTokenValidatorMiddleware(t *testing.T) {
 	publicKey := &privateKey.PublicKey
 
 	// Create a key set with the public key
-	key, err := jwk.FromRaw(publicKey)
+	key, err := jwk.Import(publicKey)
 	if err != nil {
 		t.Fatalf("Failed to create JWK from public key: %v", err)
 	}
@@ -218,7 +218,7 @@ func TestTokenValidatorMiddleware(t *testing.T) {
 	}
 
 	// Force a refresh of the JWKS cache
-	_, err = validator.jwksClient.Get(ctx, jwksServer.URL)
+	_, err = validator.jwksClient.Lookup(ctx, jwksServer.URL)
 	if err != nil {
 		t.Fatalf("Failed to refresh JWKS cache: %v", err)
 	}
@@ -505,7 +505,7 @@ func TestNewTokenValidatorWithOIDCDiscovery(t *testing.T) {
 	publicKey := &privateKey.PublicKey
 
 	// Create a key set with the public key
-	key, err := jwk.FromRaw(publicKey)
+	key, err := jwk.Import(publicKey)
 	if err != nil {
 		t.Fatalf("Failed to create JWK from public key: %v", err)
 	}
@@ -608,7 +608,7 @@ func TestNewTokenValidatorWithOIDCDiscovery(t *testing.T) {
 		}
 
 		// Force a refresh of the JWKS cache
-		_, err = validator.jwksClient.Get(ctx, validator.jwksURL)
+		_, err = validator.jwksClient.Lookup(ctx, validator.jwksURL)
 		if err != nil {
 			t.Fatalf("Failed to refresh JWKS cache: %v", err)
 		}