Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT middleware doesn't support RS256 tokens (auth0) #2192

Open
mark2b opened this issue Aug 20, 2023 · 3 comments
Open

JWT middleware doesn't support RS256 tokens (auth0) #2192

mark2b opened this issue Aug 20, 2023 · 3 comments
Assignees
@kataras

Comments

@mark2b
Copy link

mark2b commented Aug 20, 2023

I have client native application and RESTful backend uses iris for REST API
Client protected by user authentication by Auth0.com
Server protected by JWT, received by client during login.
Auth0.com for native application generates JTW token in RS256 format only

iris validates this token and failes on the header validation step.

iris assumes that header contains only "alg" and "typ" parts

{ "alg": "HS256", "typ": "JWT" }

but RS256 token received from auth0.com contains "kid" part as well

{ "alg": "RS256", "typ": "JWT", "kid": "*********" }

The problem itself happens in katanas/jwt, but although this package allows pass header validation function.
iris/middleware/jwt doesn't allow pass header validation function to fix this problem.
@kataras
Copy link
Owner

kataras commented Aug 21, 2023

Hello @mark2b,

The iris/middleware/jwt package allows passing header validators on two spots:

  1. through its NewVerifier function, which is used to create token verifier. See its last argument at:

    iris/middleware/jwt/verifier.go

    Line 89 in 79404f9

    func NewVerifier(signatureAlg Alg, signatureKey interface{}, validators ...TokenValidator) *Verifier {

  2. trough its Verifier.Verify method which can be used for further customization on specific route handlers:

    iris/middleware/jwt/verifier.go

    Line 186 in 79404f9

    func (v *Verifier) Verify(claimsType func() interface{}, validators ...TokenValidator) context.Handler {

For extra information, the kid is supported through the jwt.Keys implementation (this implementation is mostly used for Amazon Cognito's JWTs).

If any of the above didn't help, please post an example of your validator which you can pass on kataras/jwt but not on iris/middleware/jwt so I can provide further assistance.

Thank you,
Gerasimos Maropoulos

@mark2b
Copy link
Author

mark2b commented Aug 21, 2023

Hi Gerasimos,
Thanks for quick answer

The problem is: Verifier calls jwt.VerifyEncrypted

func (v *Verifier) VerifyToken(token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return jwt.VerifyEncrypted(v.Alg, v.Key, v.Decrypt, token, validators...) }

and jwt.VerifyEncrypted calls verifyToken with enforced nil for header validator
func VerifyEncrypted(alg Alg, key PublicKey, decrypt InjectFunc, token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return verifyToken(alg, key, decrypt, token, nil, validators...) }

I'm a new in JWT. Sure I'm missing something.

Thanks you
Mark

@aristotekean
Copy link

Hello @mark2b , I'm new working with Go and consequently with Iris, I'm going to do the auth wito Autho0.com and I found this example which maybe can help you.

https://github.com/auth0/go-jwt-middleware/tree/master/examples/iris-example

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kataras kataras

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mark2b @aristotekean @kataras