From be5c6ecafee5e6fa00e2f6562de96c83a4d00a8a Mon Sep 17 00:00:00 2001
From: Mike Brancato <mike@mikebrancato.com>
Date: Fri, 12 Dec 2025 09:46:57 -0500
Subject: [PATCH] Update dependencies

---
 auth/jwks_test.go | 73 ++++++++++++++++++++++++++++++++++++++---------
 go.mod            | 14 ++++-----
 go.sum            | 24 ++++++++--------
 3 files changed, 79 insertions(+), 32 deletions(-)

diff --git a/auth/jwks_test.go b/auth/jwks_test.go
index c8cfdb2..d93e09d 100644
--- a/auth/jwks_test.go
+++ b/auth/jwks_test.go
@@ -17,9 +17,11 @@ import (
 )
 
 type jwksTester struct {
-	privateKey *rsa.PrivateKey
-	keyId      string
-	jwksUrl    string
+	invalidKey   *rsa.PrivateKey
+	privateKey   *rsa.PrivateKey
+	invalidKeyId string
+	keyId        string
+	jwksUrl      string
 }
 
 func (t *jwksTester) jwksHandler(w http.ResponseWriter, r *http.Request) {
@@ -51,9 +53,17 @@ func setupJwksForTest() (*jwksTester, func()) {
 	}
 	kid := keyFingerprint(key)
 
+	invalidKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(err)
+	}
+	invalidKid := keyFingerprint(invalidKey)
+
 	tn := jwksTester{
-		privateKey: key,
-		keyId:      kid,
+		invalidKey:   invalidKey,
+		privateKey:   key,
+		invalidKeyId: invalidKid,
+		keyId:        kid,
 	}
 
 	s := tn.startJwksServer()
@@ -104,10 +114,11 @@ func TestJwksValidation(t *testing.T) {
 	defer closer()
 
 	tests := []struct {
-		name     string
-		claims   jwt.MapClaims
-		hasKeyId bool
-		success  bool
+		name       string
+		claims     jwt.MapClaims
+		hasKeyId   bool
+		success    bool
+		invalidKey bool
 	}{
 		{
 			name: "valid token",
@@ -142,9 +153,36 @@ func TestJwksValidation(t *testing.T) {
 				"exp": time.Now().Add(time.Minute).Unix(),
 				"iat": time.Now().Unix(),
 			},
-			success:  false, // kid is technically optional, the keyfunc library requires it
+			// the keyfunc v3.5.0+ no longer requires a kid to find the key
+			success:  true,
 			hasKeyId: false,
 		},
+		{
+			name: "invalidKey key",
+			claims: jwt.MapClaims{
+				"aud": "test-svc",
+				"iss": "https://test-svc",
+				"sub": "1234567890",
+				"exp": time.Now().Add(time.Minute).Unix(),
+				"iat": time.Now().Unix(),
+			},
+			success:    false,
+			hasKeyId:   true,
+			invalidKey: true,
+		},
+		{
+			name: "invalidKey key missing kid",
+			claims: jwt.MapClaims{
+				"aud": "test-svc",
+				"iss": "https://test-svc",
+				"sub": "1234567890",
+				"exp": time.Now().Add(time.Minute).Unix(),
+				"iat": time.Now().Unix(),
+			},
+			success:    false,
+			hasKeyId:   false,
+			invalidKey: true,
+		},
 		{
 			name: "expired token missing kid",
 			claims: jwt.MapClaims{
@@ -162,11 +200,20 @@ func TestJwksValidation(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(
 			tt.name, func(t *testing.T) {
+				var tokenString string
+				var err error
 				token := jwt.NewWithClaims(jwt.SigningMethodRS256, tt.claims)
-				if tt.hasKeyId {
-					token.Header["kid"] = tn.keyId
+				if tt.invalidKey {
+					if tt.hasKeyId {
+						token.Header["kid"] = tn.keyId
+					}
+					tokenString, err = token.SignedString(tn.invalidKey)
+				} else {
+					if tt.hasKeyId {
+						token.Header["kid"] = tn.keyId
+					}
+					tokenString, err = token.SignedString(tn.privateKey)
 				}
-				tokenString, err := token.SignedString(tn.privateKey)
 				assert.NoError(t, err)
 
 				manager := NewJwksKeyManager(tn.jwksUrl, &ValidatableMapClaims{"aud": "test-svc"})
diff --git a/go.mod b/go.mod
index f951c60..e925e38 100644
--- a/go.mod
+++ b/go.mod
@@ -1,19 +1,19 @@
 module github.com/mbrancato/oidc-proxy
 
-go 1.23
+go 1.25.0
 
 require (
-	github.com/MicahParks/jwkset v0.9.6
-	github.com/MicahParks/keyfunc/v3 v3.4.0
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/MicahParks/jwkset v0.11.0
+	github.com/MicahParks/keyfunc/v3 v3.7.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/jessevdk/go-flags v1.6.1
-	github.com/stretchr/testify v1.10.0
-	golang.org/x/time v0.12.0
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/time v0.14.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 4a22def..cf27ccb 100644
--- a/go.sum
+++ b/go.sum
@@ -1,21 +1,21 @@
-github.com/MicahParks/jwkset v0.9.6 h1:Tf8l2/MOby5Kh3IkrqzThPQKfLytMERoAsGZKlyYZxg=
-github.com/MicahParks/jwkset v0.9.6/go.mod h1:U2oRhRaLgDCLjtpGL2GseNKGmZtLs/3O7p+OZaL5vo0=
-github.com/MicahParks/keyfunc/v3 v3.4.0 h1:g03TXq6NjhZyO/UkODl//abm4KiLLNRi0VhW7vGOHyg=
-github.com/MicahParks/keyfunc/v3 v3.4.0/go.mod h1:y6Ed3dMgNKTcpxbaQHD8mmrYDUZWJAxteddA6OQj+ag=
+github.com/MicahParks/jwkset v0.11.0 h1:yc0zG+jCvZpWgFDFmvs8/8jqqVBG9oyIbmBtmjOhoyQ=
+github.com/MicahParks/jwkset v0.11.0/go.mod h1:U2oRhRaLgDCLjtpGL2GseNKGmZtLs/3O7p+OZaL5vo0=
+github.com/MicahParks/keyfunc/v3 v3.7.0 h1:pdafUNyq+p3ZlvjJX1HWFP7MA3+cLpDtg69U3kITJGM=
+github.com/MicahParks/keyfunc/v3 v3.7.0/go.mod h1:z66bkCviwqfg2YUp+Jcc/xRE9IXLcMq6DrgV/+Htru0=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/jessevdk/go-flags v1.6.1 h1:Cvu5U8UGrLay1rZfv/zP7iLpSHGUZ/Ou68T0iX1bBK4=
 github.com/jessevdk/go-flags v1.6.1/go.mod h1:Mk8T1hIAWpOiJiHa9rJASDK2UGWji0EuPGBnNLMooyc=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=