Remove jwk-alg Cargo feature

PR #131 introduced the `jwk-alg` feature to avoid introducing a breaking
change into 3.x. In preparation for the 4.0 major release, the feature
flag is removed, and its functionality is enabled by default.

BREAKING CHANGES:
 - `jwk-alg` is no longer a valid feature name
 - The `CoreJsonWebKey` type will now deserialize the optional `alg`
   field. If a JWK contains an unrecognized algorithm, deserialization
   may fail.
 - If a JWK contains an `alg` field that is incompatible with the
   signing algorithm specified in a JWT's JOSE header's `alg` field,
   signature verification will fail (as a security measure against key
   confusion attacks).

Cargo.toml

@@ -26,9 +26,6 @@ rustls-tls = ["oauth2/rustls-tls"]
 accept-rfc3339-timestamps = []
 accept-string-booleans = []
 nightly = []
-# TODO: remove this feature gate on the next major release
-# see https://github.com/ramosbugs/openidconnect-rs/pull/131#discussion_r1349786021
-jwk-alg = []
 
 [dependencies]
 base64 = "0.13"

src/core/jwk/mod.rs

@@ -1,11 +1,9 @@
-use crate::core::{crypto, CoreJwsSigningAlgorithm};
+use crate::core::{crypto, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm};
 use crate::helpers::{deserialize_option_or_none, Base64UrlEncodedBytes};
 use crate::types::jwks::check_key_compatibility;
-#[cfg(feature = "jwk-alg")]
-use crate::{core::CoreJweContentEncryptionAlgorithm, JsonWebKeyAlgorithm, JsonWebTokenAlgorithm};
 use crate::{
-    JsonWebKey, JsonWebKeyId, JsonWebKeyType, JsonWebKeyUse, PrivateSigningKey,
-    SignatureVerificationError, SigningError,
+    JsonWebKey, JsonWebKeyAlgorithm, JsonWebKeyId, JsonWebKeyType, JsonWebKeyUse,
+    JsonWebTokenAlgorithm, PrivateSigningKey, SignatureVerificationError, SigningError,
 };
 
 use ed25519_dalek::pkcs8::DecodePrivateKey;
@@ -37,7 +35,6 @@ pub struct CoreJsonWebKey {
     /// [RFC 7517](https://www.rfc-editor.org/rfc/rfc7517#section-4.4)).
     ///
     /// It can either be an algorithm intended for use with JWS or JWE, or something different.
-    #[cfg(feature = "jwk-alg")]
     #[serde(skip_serializing_if = "Option::is_none")]
     pub(crate) alg: Option<
         JsonWebTokenAlgorithm<
@@ -118,7 +115,6 @@ impl CoreJsonWebKey {
             x: None,
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }
     }
@@ -144,7 +140,6 @@ impl CoreJsonWebKey {
             x: Some(Base64UrlEncodedBytes::new(x)),
             y: Some(Base64UrlEncodedBytes::new(y)),
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }
     }
@@ -166,7 +161,6 @@ impl CoreJsonWebKey {
             x: Some(Base64UrlEncodedBytes::new(x)),
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }
     }
@@ -195,7 +189,6 @@ impl JsonWebKey<CoreJwsSigningAlgorithm, CoreJsonWebKeyType, CoreJsonWebKeyUse>
             x: None,
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }
     }
@@ -373,7 +366,6 @@ impl JsonWebKey<CoreJwsSigningAlgorithm, CoreJsonWebKeyType, CoreJsonWebKeyUse>
         }
     }
 
-    #[cfg(feature = "jwk-alg")]
     fn signing_alg(&self) -> JsonWebKeyAlgorithm<&CoreJwsSigningAlgorithm> {
         match self.alg {
             None => JsonWebKeyAlgorithm::Unspecified,
@@ -536,7 +528,6 @@ impl
                 y: None,
                 d: None,
                 k: None,
-                #[cfg(feature = "jwk-alg")]
                 alg: None,
             },
         }
@@ -691,7 +682,6 @@ impl
             x: None,
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }
     }

src/core/jwk/tests.rs

@@ -1,16 +1,15 @@
 use crate::core::jwk::CoreJsonCurveType;
 use crate::core::{
     CoreEdDsaPrivateSigningKey, CoreHmacKey, CoreJsonWebKey, CoreJsonWebKeySet, CoreJsonWebKeyType,
-    CoreJsonWebKeyUse, CoreJwsSigningAlgorithm, CoreRsaPrivateSigningKey,
+    CoreJsonWebKeyUse, CoreJweContentEncryptionAlgorithm, CoreJwsSigningAlgorithm,
+    CoreRsaPrivateSigningKey,
 };
 use crate::helpers::Base64UrlEncodedBytes;
 use crate::jwt::tests::{
     TEST_EC_PUB_KEY_P256, TEST_EC_PUB_KEY_P384, TEST_ED_PUB_KEY_ED25519, TEST_RSA_PUB_KEY,
 };
 use crate::verification::SignatureVerificationError;
-#[cfg(feature = "jwk-alg")]
-use crate::{core::CoreJweContentEncryptionAlgorithm, JsonWebTokenAlgorithm};
-use crate::{JsonWebKey, JsonWebKeyId, PrivateSigningKey, SigningError};
+use crate::{JsonWebKey, JsonWebKeyId, JsonWebTokenAlgorithm, PrivateSigningKey, SigningError};
 
 use rand::rngs::mock::StepRng;
 use rand::{CryptoRng, RngCore};
@@ -128,7 +127,6 @@ fn test_core_jwk_deserialization_symmetric() {
     assert_eq!(key.kid, None);
     assert_eq!(key.n, None);
     assert_eq!(key.e, None);
-    #[cfg(feature = "jwk-alg")]
     assert_eq!(
         key.alg,
         Some(JsonWebTokenAlgorithm::Encryption(
@@ -983,7 +981,6 @@ fn test_jwks_unsupported_key() {
 }
 
 // Tests that JsonWebKeySet ignores keys with unsupported algorithms
-#[cfg(feature = "jwk-alg")]
 #[test]
 fn test_jwks_unsupported_alg() {
     let jwks_json = "{
@@ -1013,7 +1010,6 @@ fn test_jwks_unsupported_alg() {
 }
 
 // Test filtering keys by algorithm
-#[cfg(feature = "jwk-alg")]
 #[test]
 fn test_jwks_same_kid_different_alg() {
     let jwks_json = "{

src/types/jwk.rs

@@ -33,7 +33,6 @@ where
     /// no algorithm constraint was given, or unsupported if the algorithm is not for signing.
     ///
     /// It's not sufficient to tell whether a key can be used for signing, as key use also has to be validated.
-    #[cfg(feature = "jwk-alg")]
     fn signing_alg(&self) -> JsonWebKeyAlgorithm<&JS>;
 
     /// Initializes a new symmetric key or shared signing secret from the specified raw bytes.

src/types/jwks.rs

@@ -61,17 +61,13 @@ where
         return Err("key type does not match signature algorithm");
     }
 
-    #[cfg(feature = "jwk-alg")]
     match key.signing_alg() {
         // if no specific algorithm is mandated, any will do
         crate::JsonWebKeyAlgorithm::Unspecified => Ok(()),
         crate::JsonWebKeyAlgorithm::Unsupported => Err("key algorithm is not a signing algorithm"),
         crate::JsonWebKeyAlgorithm::Algorithm(key_alg) if key_alg == signing_algorithm => Ok(()),
         crate::JsonWebKeyAlgorithm::Algorithm(_) => Err("incompatible key algorithm"),
     }
-
-    #[cfg(not(feature = "jwk-alg"))]
-    Ok(())
 }
 
 impl<JS, JT, JU, K> JsonWebKeySet<JS, JT, JU, K>

src/verification/tests.rs

@@ -468,7 +468,6 @@ fn test_jwt_verified_claims() {
             x: None,
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }]),
     )
@@ -495,7 +494,6 @@ fn test_jwt_verified_claims() {
             x: None,
             y: None,
             d: None,
-            #[cfg(feature = "jwk-alg")]
             alg: None,
         }]),
     )