Replace abandoned github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt

[andrey-dubnik]

Hi, please consider the feature below

Is your feature request related to a problem? Please describe.

JWT token gets parsed with the library github.com/dgrijalva/jwt-go which is not actively maintained and is a subject to the risk of the newly discoverable exploits not being patched up timely if at all. There is a community fork with the active release cadence accordingly to the dgrijalva/jwt-go#474

Describe the solution you'd like

Accordingly to the migration guide the solution is down to a find/replace https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md

[sergeybykov]

@andrey-dubnik Thank you for bringing this up!

Looks like the upgrade isn't a drop-in replacement because of the missing WithAudience and WithoutAudienceValidation functions. Need to dig deeper to figure out how to switch with losing validation of audience.

[sergeybykov]

I opened an issue to clarify.

[lestrrat]

Hi, I'm the author of github.com/lestrrat-go/jwx, and I just happened to stumble upon your project while looking for potential victims users of my code. I know you are not asking for your jwt library to be swapped with mine, but I thought I'd give it a try.

Please find my proposed changes through this link: https://github.com/temporalio/temporal/compare/master...lestrrat-go:replace-dgrijalva-lestrrat-go-jwx?expand=1 (I haven't filed a PR as I still don't know if you would be interested :)

If you do happen to like what github.com/lestrrat-go/jwx has to offer, and would like to consider replacing dgrijalva/jwt-go, please let me know and I will file a PR. If not, please ignore my message! Thanks for reading!