unboundsoftware/schemas
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 32 Activity

fix(deps): update module github.com/auth0/go-jwt-middleware/v2 to v3 #678

Merged
argoyle merged 2 commits from renovate/github.com-auth0-go-jwt-middleware-v2-3.x into main 2026-01-19 20:07:21 +00:00
Conversation 0 Commits 2 Files Changed 5
+170 -247
renovate commented 2026-01-19 10:14:34 +00:00
Owner
Copy Link
Copy Source

This PR contains the following updates:

Package Change Age Confidence
github.com/auth0/go-jwt-middleware/v2 v2.3.1v3.0.0 age confidence

Release Notes

auth0/go-jwt-middleware (github.com/auth0/go-jwt-middleware/v2)

v3.0.0

Compare Source

Full Changelog

BEFORE YOU UPGRADE

  • This is a major release that includes breaking changes. Please see MIGRATION_GUIDE.md before upgrading. This release will require changes to your application.
Added
  • Pure options pattern for validator, middleware, and JWKS provider (#​357, #​358, #​360)
  • DPoP (Demonstrating Proof-of-Possession) support per RFC 9449 (#​363)
  • Framework-agnostic core package for reusable validation logic (#​356)
  • Type-safe claims retrieval with generics (GetClaims[T](), MustGetClaims[T](), HasClaims())
  • Structured logging support compatible with log/slog
  • Support for 14 signature algorithms (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, ES256K, EdDSA)
  • Enhanced error responses with RFC 6750 compliance
  • Trusted proxy configuration for DPoP behind reverse proxies
  • Multiple issuer and audience support with new APIs
  • Documentation and linting configuration (#​361)
Changed
  • Migrated from square/go-jose to lestrrat-go/jwx v3 (#​358)
  • Module path updated to github.com/auth0/go-jwt-middleware/v3 (#​355)
  • Minimum Go version updated to 1.24 (#​355)
  • Update examples for v3 module path and new APIs
Breaking
  • Pure options pattern: All constructors (New()) now require functional options instead of positional parameters
  • Context key: ContextKey{} is no longer exported - use GetClaims[T]() helper function
  • Custom claims now use generics for type safety
  • TokenExtractor returns ExtractedToken (with scheme) instead of string
  • Type naming: ExclusionUrlHandler renamed to ExclusionURLHandler
Migration Example

v2:

// Validator with positional parameters
jwtValidator, err := validator.New(
    keyFunc,
    validator.RS256,
    "https://issuer.example.com/",
    []string{"my-api"},
)

// Middleware
middleware := jwtmiddleware.New(jwtValidator.ValidateToken)

// Claims access via context key
claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)

v3:

// Validator with pure options
jwtValidator, err := validator.New(
    validator.WithKeyFunc(keyFunc),
    validator.WithAlgorithm(validator.RS256),
    validator.WithIssuer("https://issuer.example.com/"),
    validator.WithAudience("my-api"),
)

// Middleware with options
middleware, err := jwtmiddleware.New(
    jwtmiddleware.WithValidator(jwtValidator),
)

// Type-safe claims with generics
claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context())

See MIGRATION_GUIDE.md for complete migration instructions.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/auth0/go-jwt-middleware/v2](https://github.com/auth0/go-jwt-middleware) | `v2.3.1` → `v3.0.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fauth0%2fgo-jwt-middleware%2fv2/v3.0.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fauth0%2fgo-jwt-middleware%2fv2/v2.3.1/v3.0.0?slim=true) | --- ### Release Notes <details> <summary>auth0/go-jwt-middleware (github.com/auth0/go-jwt-middleware/v2)</summary> ### [`v3.0.0`](https://github.com/auth0/go-jwt-middleware/blob/HEAD/CHANGELOG.md#v300-2026-01-19) [Compare Source](https://github.com/auth0/go-jwt-middleware/compare/v2.3.1...v3.0.0) [Full Changelog](https://github.com/auth0/go-jwt-middleware/compare/v2.3.1...v3.0.0) **BEFORE YOU UPGRADE** - This is a major release that includes breaking changes. Please see [MIGRATION\_GUIDE.md](MIGRATION_GUIDE.md) before upgrading. This release will require changes to your application. ##### Added - Pure options pattern for validator, middleware, and JWKS provider ([#&#8203;357](https://github.com/auth0/go-jwt-middleware/pull/357), [#&#8203;358](https://github.com/auth0/go-jwt-middleware/pull/358), [#&#8203;360](https://github.com/auth0/go-jwt-middleware/pull/360)) - DPoP (Demonstrating Proof-of-Possession) support per RFC 9449 ([#&#8203;363](https://github.com/auth0/go-jwt-middleware/pull/363)) - Framework-agnostic core package for reusable validation logic ([#&#8203;356](https://github.com/auth0/go-jwt-middleware/pull/356)) - Type-safe claims retrieval with generics (`GetClaims[T]()`, `MustGetClaims[T]()`, `HasClaims()`) - Structured logging support compatible with `log/slog` - Support for 14 signature algorithms (HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512, ES256K, EdDSA) - Enhanced error responses with RFC 6750 compliance - Trusted proxy configuration for DPoP behind reverse proxies - Multiple issuer and audience support with new APIs - Documentation and linting configuration ([#&#8203;361](https://github.com/auth0/go-jwt-middleware/pull/361)) ##### Changed - Migrated from square/go-jose to lestrrat-go/jwx v3 ([#&#8203;358](https://github.com/auth0/go-jwt-middleware/pull/358)) - Module path updated to `github.com/auth0/go-jwt-middleware/v3` ([#&#8203;355](https://github.com/auth0/go-jwt-middleware/pull/355)) - Minimum Go version updated to 1.24 ([#&#8203;355](https://github.com/auth0/go-jwt-middleware/pull/355)) - Update examples for v3 module path and new APIs ##### Breaking - Pure options pattern: All constructors (`New()`) now require functional options instead of positional parameters - Context key: `ContextKey{}` is no longer exported - use `GetClaims[T]()` helper function - Custom claims now use generics for type safety - `TokenExtractor` returns `ExtractedToken` (with scheme) instead of `string` - Type naming: `ExclusionUrlHandler` renamed to `ExclusionURLHandler` ##### Migration Example **v2:** ```go // Validator with positional parameters jwtValidator, err := validator.New( keyFunc, validator.RS256, "https://issuer.example.com/", []string{"my-api"}, ) // Middleware middleware := jwtmiddleware.New(jwtValidator.ValidateToken) // Claims access via context key claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims) ``` **v3:** ```go // Validator with pure options jwtValidator, err := validator.New( validator.WithKeyFunc(keyFunc), validator.WithAlgorithm(validator.RS256), validator.WithIssuer("https://issuer.example.com/"), validator.WithAudience("my-api"), ) // Middleware with options middleware, err := jwtmiddleware.New( jwtmiddleware.WithValidator(jwtValidator), ) // Type-safe claims with generics claims, err := jwtmiddleware.GetClaims[*validator.ValidatedClaims](r.Context()) ``` See [MIGRATION\_GUIDE.md](MIGRATION_GUIDE.md) for complete migration instructions. *** </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43OC4yIiwidXBkYXRlZEluVmVyIjoiNDIuNzguMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
argoyle force-pushed renovate/github.com-auth0-go-jwt-middleware-v2-3.x from 1f1d1d4c7c to 817927cb7d 2026-01-19 19:39:32 +00:00 Compare
argoyle merged commit 6143a96c75 into main 2026-01-19 20:07:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
go
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
acctest (Shiny Acctest) argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unboundsoftware/schemas#678
Delete Branch "renovate/github.com-auth0-go-jwt-middleware-v2-3.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?