Update jsonwebtoken dependency

foundation/auth/Cargo.toml

@@ -17,7 +17,7 @@ tracing = "0.1"
 reqwest = { version = "0.12.4", features = ["json", "charset"], default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0" }
-jsonwebtoken = { version = "9.2.0" }
+jsonwebtoken = { version = "10.2", features = ["rust_crypto"] }
 thiserror = "2.0"
 async-trait = "0.1"
 home = "0.5"

foundation/auth/src/token_source/compute_identity_source.rs

@@ -1,5 +1,4 @@
 use async_trait::async_trait;
-use jsonwebtoken::Validation;
 use serde::Deserialize;
 use time::OffsetDateTime;
 use urlencoding::encode;
@@ -20,8 +19,6 @@ use crate::token_source::{default_http_client, TokenSource};
 pub struct ComputeIdentitySource {
     token_url: String,
     client: reqwest::Client,
-    decoding_key: jsonwebtoken::DecodingKey,
-    validation: jsonwebtoken::Validation,
 }
 
 impl std::fmt::Debug for ComputeIdentitySource {
@@ -39,21 +36,13 @@ impl ComputeIdentitySource {
             Err(_e) => METADATA_IP.to_string(),
         };
 
-        // Only used to extract the expiry without checking the signature.
-        let mut validation = Validation::default();
-        validation.insecure_disable_signature_validation();
-        validation.set_audience(&[audience]);
-        let decoding_key = jsonwebtoken::DecodingKey::from_secret(b"");
-
         Ok(ComputeIdentitySource {
             token_url: format!(
                 "http://{}/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format=full",
                 host,
                 encode(audience)
             ),
             client: default_http_client(),
-            decoding_key,
-            validation,
         })
     }
 }
@@ -75,14 +64,12 @@ impl TokenSource for ComputeIdentitySource {
             .text()
             .await?;
 
-        let exp = jsonwebtoken::decode::<ExpClaim>(&jwt, &self.decoding_key, &self.validation)?
-            .claims
-            .exp;
-
+        // Only used to extract the expiry without checking the signature.
+        let token = jsonwebtoken::dangerous::insecure_decode::<ExpClaim>(jwt.as_bytes())?;
         Ok(Token {
             access_token: jwt,
             token_type: "Bearer".into(),
-            expiry: OffsetDateTime::from_unix_timestamp(exp).ok(),
+            expiry: OffsetDateTime::from_unix_timestamp(token.claims.exp).ok(),
         })
     }
 }

foundation/auth/src/token_source/mod.rs

@@ -66,16 +66,10 @@ impl InternalIdToken {
         })
     }
 
-    fn get_exp(&self, audience: &str) -> Result<i64, Error> {
-        let mut validation = jsonwebtoken::Validation::default();
-        validation.insecure_disable_signature_validation();
-        validation.set_audience(&[audience]);
-        let decoding_key = jsonwebtoken::DecodingKey::from_secret(b"");
-        Ok(
-            jsonwebtoken::decode::<ExpClaim>(self.id_token.as_str(), &decoding_key, &validation)?
-                .claims
-                .exp,
-        )
+    fn get_exp(&self, _audience: &str) -> Result<i64, Error> {
+        //skips all checks, so audience has to be manually checked if necessary
+        let token = jsonwebtoken::dangerous::insecure_decode::<ExpClaim>(self.id_token.as_bytes())?;
+        Ok(token.claims.exp)
     }
 }