Azure JWT validation in Go not working

When using Go language to develop Azure applications, we often encounter the problem that JWT (JSON Web Token) verification does not work. JWT is a secure transport method for passing claims between web applications, but sometimes you encounter various issues when using Azure's JWT validation in Go. This article will introduce you to some possible reasons why JWT verification does not work, and provide corresponding solutions to help you solve this common problem. This article has been carefully compiled by PHP editor Apple, and I hope it will be helpful to you.

Question content

I have a go http server. I want to secure my route using azure jwt token. I am able to generate the token but cannot verify it.

This is what I did:

package main

import (
    "context"
    "errors"
    "fmt"

    "github.com/dgrijalva/jwt-go"
    "github.com/lestrrat-go/jwx/jwa"
    "github.com/lestrrat-go/jwx/jwk"
    njwt "github.com/lestrrat-go/jwx/jwt"
)

const token = "<access-token>"

const jwksurl = `https://login.microsoftonline.com/common/discovery/keys`

func main() {
    set, _ := jwk.fetch(context.todo(), jwksurl)
    // verified that set has required kid 
    verify2(token, set)
    token, err := verify(token, set)
    // token, err := jwt.parse(token, getkey)
    if err != nil {
        panic(err)
    }
    claims := token.claims.(jwt.mapclaims)
    for key, value := range claims {
        fmt.printf("%s\t%v\n", key, value)
    }
}

func verify2(token string, keyset jwk.set) {
    btoken := []byte(token)
    parsedtoken, err := njwt.parse(
        btoken, //token is a []byte
        njwt.withkeyset(keyset),
        njwt.withvalidate(true),
    )
    fmt.printf("%v %v", parsedtoken, err)
}

func verify(tokenstring string, keyset jwk.set) (*jwt.token, error) {
    tkn, err := jwt.parse(tokenstring, func(token *jwt.token) (interface{}, error) {
        if token.method.alg() != jwa.rs256.string() {
            return nil, fmt.errorf("unexpected signing method: %v", token.header["alg"])
        }
        kid, ok := token.header["kid"].(string)
        if !ok {
            return nil, errors.new("kid header not found")
        }
        keys, ok := keyset.lookupkeyid(kid)
        if !ok {
            return nil, fmt.errorf("key %v not found", kid)
        }
        var raw interface{}
        err := keys.raw(&raw)
        return raw, err
    })
    return tkn, err
}

verify2(..) gives <nil> failed to match any keys and verify(..) gives crypto/rsa: Verification error

My jwt header:

{
  "typ": "JWT",
  "nonce": "...",
  "alg": "RS256",
  "x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew",
  "kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew"
}

Workaround

You are using the wrong type of Azure AD access token. Content with nonces in JWT headers are not intended to be verified by your own API - they are intended for Microsoft's own API.

You need to expose an API scope to resolve this issue, after which you will get an access token without the nonce in the JWT header. My blog post has some further relevant information.

The above is the detailed content of Azure JWT validation in Go not working. For more information, please follow other related articles on the PHP Chinese website!