When using Go language to develop Azure applications, we often encounter the problem that JWT (JSON Web Token) verification does not work. JWT is a secure transport method for passing claims between web applications, but sometimes you encounter various issues when using Azure's JWT validation in Go. This article will introduce you to some possible reasons why JWT verification does not work, and provide corresponding solutions to help you solve this common problem. This article has been carefully compiled by PHP editor Apple, and I hope it will be helpful to you.
I have a go http server. I want to secure my route using azure jwt token. I am able to generate the token but cannot verify it.
This is what I did:
package main import ( "context" "errors" "fmt" "github.com/dgrijalva/jwt-go" "github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/jwk" njwt "github.com/lestrrat-go/jwx/jwt" ) const token = "<access-token>" const jwksurl = `https://login.microsoftonline.com/common/discovery/keys` func main() { set, _ := jwk.fetch(context.todo(), jwksurl) // verified that set has required kid verify2(token, set) token, err := verify(token, set) // token, err := jwt.parse(token, getkey) if err != nil { panic(err) } claims := token.claims.(jwt.mapclaims) for key, value := range claims { fmt.printf("%s\t%v\n", key, value) } } func verify2(token string, keyset jwk.set) { btoken := []byte(token) parsedtoken, err := njwt.parse( btoken, //token is a []byte njwt.withkeyset(keyset), njwt.withvalidate(true), ) fmt.printf("%v %v", parsedtoken, err) } func verify(tokenstring string, keyset jwk.set) (*jwt.token, error) { tkn, err := jwt.parse(tokenstring, func(token *jwt.token) (interface{}, error) { if token.method.alg() != jwa.rs256.string() { return nil, fmt.errorf("unexpected signing method: %v", token.header["alg"]) } kid, ok := token.header["kid"].(string) if !ok { return nil, errors.new("kid header not found") } keys, ok := keyset.lookupkeyid(kid) if !ok { return nil, fmt.errorf("key %v not found", kid) } var raw interface{} err := keys.raw(&raw) return raw, err }) return tkn, err }
verify2(..)
gives <nil> failed to match any keys
and
verify(..)
gives crypto/rsa: Verification error
My jwt header:
{ "typ": "JWT", "nonce": "...", "alg": "RS256", "x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew", "kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew" }
You are using the wrong type of Azure AD access token. Content with nonces in JWT headers are not intended to be verified by your own API - they are intended for Microsoft's own API.
You need to expose an API scope to resolve this issue, after which you will get an access token without the nonce in the JWT header. My blog post has some further relevant information.
The above is the detailed content of Azure JWT validation in Go not working. For more information, please follow other related articles on the PHP Chinese website!