JSON Web Token library

Feature Request. I can make a call to Azure keyvault to sign and what I get back are the following ;

1. kid
2. base64 url encoded signature
3. alg, i.e. "RSA256" passed in

Could you think about putting the signing stuff into an interface and letting me implement that on my end. I would still expect your code to construct the JWT ({0}.{1}.{signature})

That way we could also reduce what looks like redundant code in all the *Sign() functions.

my POC function looks like this, and would change based upon the interface requirements of your engine;

// HARD CODED to SHA256 at the moment

func RSA256AzureSign(ctx context.Context, data []byte) (kid *string, signature *string, err error) {
	keyClient := getKeysClient()
	digest := crypto.SHA256.New()
	digest.Write(data)
	h := digest.Sum(nil)
	sEnc := b64.StdEncoding.EncodeToString(h)

	keyOperationResult, err := keyClient.Sign(ctx, "https://P7KeyValut.vault.azure.net/", "P7IdentityServer4SelfSigned", "", keyvault.KeySignParameters{
		Algorithm: keyvault.RS256,
		Value:     &sEnc,
	})
	if err != nil {
		return
	}
	return keyOperationResult.Kid, keyOperationResult.Result, nil
}

The call to azure picks the latest version of the cert and signs for me, returning the kid and the base64 signature.

Hey there! Love your package. It's very simple and straight-forward. I prefer it to other JWT packages thanks to its API. Great job!

I only have one problem. I have jwt in my project and it's in my go.mod and in go.sum. Every time I try to run go test -v -count=1 ./... in my root directory, it complains about jwt's imported library and fails:

myproject:master* λ go test -v -count=1 ./...
../../pascaldekloe/jwt/check.go:6:2: cannot find package "crypto/ed25519" in any of:
	/usr/lib/go/src/crypto/ed25519 (from $GOROOT)
	/home/myusername/go/src/crypto/ed25519 (from $GOPATH)

crypto/ed25519 exists on my system:

ed25519:master λ pwd
/home/myusername/go/src/golang.org/x/crypto/ed25519

Is there something wrong with my system variables or import paths?

This problem doesn't occur with any other packages.

Thanks!

This library looks very promising, however, to make it really useful, I have two questions:

1. can you provide a convenient method to convert a JSON string into the jwt.Claims structure?
2. how can I verify a jwt token if I have a private string typed password?

For 1, you can argue that it's not this project's responsibility to do it, that's fine. But for 2, I cannot believe it's not documented in the readme.md. This is the most fundamental use of jwt. I think if your project is better documented, this project will gain 50x more popularity. I have been here several times and was turned off by lacking of useful examples every time. This time I finally decided to open this ticket. Thanks.

Hi, at first, thank you for this awesome library! But whenever I use claims.Set = map[string]interface{}{"role": "userrole",} audiences are stated as a string instead of an array.

E.g.:

{
  "aud": "audience.org",
  "exp": 1897992150.1938002,
  "iat": 1582275750,
  "iss": "issuer.org",
  "role": "userrole",
  "sub": "0ff88b48-231c-4862-8fcf-56c7fce32400"
}

vs.

{
  "aud": [
           "audience.org"
         ],
  "exp": 1897992150.1938002,
  "iat": 1582275750,
  "iss": "issuer.org",
  "sub": "0ff88b48-231c-4862-8fcf-56c7fce32400"
}

I'm curious as to why some of potential return errors from HMACCheckHeader aren't exported. This includes errAuthHeader, and errAuthSchema. Since they aren't exported I can't compare against them in my middleware.

I need to handle differently the situations where an invalid token is submitted and no token is submitted. I could just duplicate the code, but those errors are already being returned. To take advantage of them, I'd need to do string comparison, which is frowned upon.

Any interest in exporting these errors?

thanks for you lib. i'm use jwt and provide ed25519 for https://github.com/dgrijalva/jwt-go/pull/366 but as it now not merged and i don't understand how long this can takes, can you provide simple benchmark of you lib vs https://github.com/dgrijalva/jwt-go ? may be other can use it to decide what lib to use for jwt ?

Must these be stored in binary in a file? I want to persist them to a file, but so far have not been able to encode/decode as PEM, or even base64. They are always corrupt when I read them back in.

If I try to generate the keys from openssl or ssh-keygen, I'm also not able to read those in as valid ed25519 keys.

The test I use is to generate them in Go, then try to encode them, decode them, and re-run a sign/verify.

Thanks for your work on this package.

In the README it says the package uses no third-party dependencies, but the go.mod file lists the dependency github.com/pascaldekloe/goe.

From a quick check it looks like the only place goe is being used is the following line: https://github.com/pascaldekloe/jwt/blob/fcba0b3ef7ede11014a95c26e2ecea73a94e5013/x/x_test.go#L134

I was wondering if the test could be refactored to inline any necessary code, instead of pulling through the whole dependency?

If you try to use this lib with go 1.11's module system the latest release it will download is v1.2.1. Go modules require tags to be formatted as vx.y.z where x is MAJOR, y is MINOR and z is the PATCH number. Could you migrate tags and releases to semver-formatted strings?

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following. Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows: Location: sign.go:174; Broken rule: RSASSA-PKCS1-v1_5 is deprecated; We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

While this library does provide methods for checking the signature (such as HMCACheck(<token>, <secret>)) and for checking that the token hasn't expired (*Claims.Valid(time.Time)), it doesn't provide validators for validating each claim in the JWT payload. This PR adds the ability to create a validator for each field to then be used along with the Claims in ValidatePayloadClaims.

As an example:

// Create your field validators. For all minus the TimeFieldValidator, just pass in the expected
// results. For the TimeFieldValidator, pass in the time that all time fields must be valid for. (Does
// not have to be time.Now())
issValidator := jwt.IssuerValidator("testIssuer")
audValidator := jwt.AudiencesValidator([]string{"testAudienceOne", "testAudienceTwo"})
subValidator := jwt.SubjectValidator(strconv.Itoa(1234))
timeValidator := jwt.TimeFieldValidator(time.Now())
idValidator := jwt.IdValidator(strconv.Itoa(5678))

// Not only are there validators for the Registered claims, but there is also a validator for custom claims.
// Just pass in the expected value, and the name of the custom claim field.
customFieldValidator  := jwt.CustomClaimValidator("expectedCustomFieldValue", "customClaimFieldName")

// Pass in the token's claims and your field validators. tokenClaims is *Claims from the created token
err = jwt.ValidatePayloadClaims(tokenClaims, issValidator, audValidator, subValidator, timeValidator, idValidator, customFieldValidator)