Azure JWT validation in Go not working

WBOY
Release: 2024-02-09 11:12:09
forward
1013 people have browsed it

Go 中的 Azure JWT 验证不起作用

When using Go language to develop Azure applications, we often encounter the problem that JWT (JSON Web Token) verification does not work. JWT is a secure transport method for passing claims between web applications, but sometimes you encounter various issues when using Azure's JWT validation in Go. This article will introduce you to some possible reasons why JWT verification does not work, and provide corresponding solutions to help you solve this common problem. This article has been carefully compiled by PHP editor Apple, and I hope it will be helpful to you.

Question content

I have a go http server. I want to secure my route using azure jwt token. I am able to generate the token but cannot verify it.

This is what I did:

package main

import (
    "context"
    "errors"
    "fmt"

    "github.com/dgrijalva/jwt-go"
    "github.com/lestrrat-go/jwx/jwa"
    "github.com/lestrrat-go/jwx/jwk"
    njwt "github.com/lestrrat-go/jwx/jwt"
)

const token = "<access-token>"

const jwksurl = `https://login.microsoftonline.com/common/discovery/keys`

func main() {
    set, _ := jwk.fetch(context.todo(), jwksurl)
    // verified that set has required kid 
    verify2(token, set)
    token, err := verify(token, set)
    // token, err := jwt.parse(token, getkey)
    if err != nil {
        panic(err)
    }
    claims := token.claims.(jwt.mapclaims)
    for key, value := range claims {
        fmt.printf("%s\t%v\n", key, value)
    }
}

func verify2(token string, keyset jwk.set) {
    btoken := []byte(token)
    parsedtoken, err := njwt.parse(
        btoken, //token is a []byte
        njwt.withkeyset(keyset),
        njwt.withvalidate(true),
    )
    fmt.printf("%v %v", parsedtoken, err)
}

func verify(tokenstring string, keyset jwk.set) (*jwt.token, error) {
    tkn, err := jwt.parse(tokenstring, func(token *jwt.token) (interface{}, error) {
        if token.method.alg() != jwa.rs256.string() {
            return nil, fmt.errorf("unexpected signing method: %v", token.header["alg"])
        }
        kid, ok := token.header["kid"].(string)
        if !ok {
            return nil, errors.new("kid header not found")
        }
        keys, ok := keyset.lookupkeyid(kid)
        if !ok {
            return nil, fmt.errorf("key %v not found", kid)
        }
        var raw interface{}
        err := keys.raw(&raw)
        return raw, err
    })
    return tkn, err
}
Copy after login

verify2(..) gives <nil> failed to match any keys and verify(..) gives crypto/rsa: Verification error

My jwt header:

{
  "typ": "JWT",
  "nonce": "...",
  "alg": "RS256",
  "x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew",
  "kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew"
}
Copy after login

Workaround

You are using the wrong type of Azure AD access token. Content with nonces in JWT headers are not intended to be verified by your own API - they are intended for Microsoft's own API.

You need to expose an API scope to resolve this issue, after which you will get an access token without the nonce in the JWT header. My blog post has some further relevant information.

The above is the detailed content of Azure JWT validation in Go not working. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:stackoverflow.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template