Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to verify a JSON Web Token with the jwt-go library?

Tags:

go

jwt

jwt-go

I am using the jwt-go library in golang, and using the HS512 algorithm for signing the token. I want to make sure the token is valid and the example in the docs is like this:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    return myLookupKey(token.Header["kid"])
})

if err == nil && token.Valid {
    fmt.Println("Your token is valid.  I like your style.")
} else {
    fmt.Println("This token is terrible!  I cannot accept this.")
}

I understand that myToken is the string token and the keyFunc gets passed the parsed token, but I don't understand what myLookupKey function is supposed to do?, and token.Header doesn't have a kid value when i print it to console and even thought the token has all the data I put in it, token.Valid is always false. Is this a bug? How do I verify the token is valid?

like image 360
zola Avatar asked Jan 03 '16 15:01

zola


People also ask

How do I verify JWT on JWT io?

Verify RS256-signed tokensGo to Dashboard > Applications. Go to the Settings view, and open Advanced Settings. Go to the Certificates view, locate the Signed Certificate field, and copy the Public Key. Navigate to the JWT.io website, locate the Algorithm dropdown, and select RS256.

How do I decode a JWT token in Golang?

Use github.com/dgrijalva/jwt-go go liabary for the implementation. we can extract JWT token information from the api request according to the following way. When post the JWT token from the using post request. you must extract JWT information in routing section.


1 Answers

The keyFunc is supposed to return the private key that the library should use to verify the token's signature. How you obtain this key is entirely up to you.

The example from the documentation shows a non-standard (not defined in RFC 7519) additional feature that is offered by the jwt-go library. Using a kid field in the header (short for key ID), clients can specify with which key the token was signed. On verification, you can then use the key ID to look up one of (possible several) known keys (how and if you implement this key lookup is up to you).

If you do not want to use this feature, just don't. Simply return a static byte stream from the keyFunc without inspecting the token headers:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    key, err := ioutil.ReadFile("your-private-key.pem")
    if err != nil {
        return nil, errors.New("private key could not be loaded")
    }
    return key, nil
})
like image 72
helmbert Avatar answered Oct 02 '22 21:10

helmbert