Update jsonwebtoken dependency

[DoumanAsh]

I would like to remove multiple instances of jsonwebtoken in my dependency tree so I wanted to bump in this crate as I rely on it (This version introduces user's choice of crypto libraries so I defaulted to rust's one as it was before)

Unfortunately jsonwebtoken wants to deprecate useful API:

warning: use of deprecated method `jsonwebtoken::Validation::insecure_disable_signature_validation`: Use `jsonwebtoken::dangerous::insecure_decode` if you require this functionality.
  --> foundation/auth/src/token_source/mod.rs:71:20
   |
71 |         validation.insecure_disable_signature_validation();

Suggested alternative does not validate audience
Would you like me to implement audience validation as part of upgrade PR? (I'm not sure how critical it is in context of where signature validation is skipped, so if it is ok to skip validation, I can change code to use jsonwebtoken::dangerous::insecure_decode)

[DoumanAsh]

Sorry for failed CI
As I mentioned above
Library deprecated method that you currently use to skip signature verification so I wanted to confirm if you'd prefer to skip verification of audience too by using insecure_decode which skips all checks
Or would you prefer to retain audience verification? (in that case I will implement it as part of this PR)

[yoshidan]

Hi @DoumanAsh

I would like to proceed with the removal of insecure_disable_signature_validation.
I anticipate that simply deleting it will be sufficient, so I would appreciate it if you could handle this as a straight removal within this Pull Request.
Should you encounter any unforeseen difficulties (or: complications), please use jsonwebtoken::dangerous::insecure_decode instead.

[DoumanAsh]

@yoshidan So, just removing method will cause you to attempt to construct invalid key (since there is no key) so I had to switch to insecure_decode which means audience is no longer checked, but I'm not sure if it is actually relevant in this context, since this part only needs expiration I assume audience should be anyway correct in this context

[DoumanAsh]

@yoshidan there seems to be some cargo deny issue with dependencies:
https://github.com/yoshidan/google-cloud-rust/actions/runs/19785002840/job/56690260308?pr=409

It doesn't like licenses... I'm not really sure why someone would make such check, but bigger issue is rsa dependency being considered insecure all of the sudden
I'm not sure why jsonwebtoken would want to use rust-crypto, but one alternative could be to try to check aws-lc-rs I guess

[yoshidan]

but one alternative could be to try to check aws-lc-rs I guess

I agree. The following actions made PR work in my enviroment.

• Using the aws_lc_rs instead of rust_crypto

jsonwebtoken = { version = "10.2.0" , features = ["aws_lc_rs"]} 

• Add the following sentence in deny.toml

exceptions = [
   ... 
    { allow = ["OpenSSL"], name = "aws-lc-sys" },
]

% cargo deny --workspace --all-features --log-level=error check 
advisories ok, bans ok, licenses ok, sources ok

[DoumanAsh]

I actually wanted to avoid depending on aws-lc, but jsonwebtoken's crypto backend is not flexible to have ring implementation (or any alternative implementation for that matter), so it seems to be the only choice for now, which is unfortunate...

[yoshidan]

Thank you for your contribution.