VAULT-32411: upgrade go jose dependency in auth plugins

[aslamovamir]

Description

What does this PR do?
Upgrades the github.com/go-jose/go-jose/v3 dependency in auth plugins to the latest version.

TODO only if you're a HashiCorp employee

• Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
• ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
  of a public function, even if that change is in a CE file, double check that
  applying the patch for this PR to the ENT repo and running tests doesn't
  break any tests. Sometimes ENT only tests rely on public functions in CE
  files.
• Jira: If this change has an associated Jira, it's referenced either
  in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.
• ENT PR: If this change has an associated ENT PR, please link it in the
  description. Also, make sure the changelog is in this PR, not in your ENT PR.

[github-actions]

Build Results:
Build failed for these jobs: artifacts:failure. Please refer to this workflow to learn more: https://github.com/hashicorp/vault/actions/runs/11899732220

[github-actions]

CI Results: failed ❌

[VioletHynes]

Would it be possible to make this require block list out all of the indirect dependencies? It would help a lot for future maintainability

[VioletHynes]

Same comment for the other go.mods :)

[aslamovamir]

Yup, will do!
I tried running go mod tidy but I do not see go mod files changed. I ran go get -u ./... which changed the go.mod file to list all indirect dependencies but it also upgraded them. The command go get ./... which is supposed to just list the indirect dependencies without upgrading them is making no changes inside the go mod files. Are these the commands you were also thinking of to list them?

[VioletHynes]

There's some colour here: https://go.dev/ref/mod#go-mod-file-require

If we need to list them out one at a time, that'd still be a good thing to do -- but there's probably a better way (regenerating it from scratch?)

[aslamovamir]

Taking a look now, thanks!

[aslamovamir]

I think I found the way Violet! It requires go mod version to be at least 17 but i think it is fine? Since this is the wrong repo we are making changes against, I will create a new PR on vault enterprise repo and tag you there!

[VioletHynes]

Sounds good! And yeah, that works great :)