如何使用jwt-go库验证JSON Web Token?

huangapple go评论89阅读模式
英文:

How to verify a JSON Web Token with the jwt-go library?

问题

我正在使用golang中的jwt-go库,并使用HS512算法对令牌进行签名。我想确保令牌是有效的,文档中的示例代码如下:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    return myLookupKey(token.Header["kid"])
})

if err == nil && token.Valid {
    fmt.Println("Your token is valid. I like your style.")
} else {
    fmt.Println("This token is terrible! I cannot accept this.")
}

我理解myToken是字符串令牌,keyFunc函数会接收解析后的令牌,但我不明白myLookupKey函数应该做什么?当我将token.Header打印到控制台时,并没有kid值,即使令牌中有我放入的所有数据,token.Valid始终为false。这是一个bug吗?我该如何验证令牌的有效性?

英文:

I am using the jwt-go library in golang, and using the HS512 algorithm for signing the token. I want to make sure the token is valid and the example in the docs is like this:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    return myLookupKey(token.Header["kid"])
})

if err == nil && token.Valid {
    fmt.Println("Your token is valid.  I like your style.")
} else {
    fmt.Println("This token is terrible!  I cannot accept this.")
}

I understand that myToken is the string token and the keyFunc gets passed the parsed token, but I don't understand what myLookupKey function is supposed to do?, and token.Header doesn't have a kid value when i print it to console and even thought the token has all the data I put in it, token.Valid is always false. Is this a bug? How do I verify the token is valid?

答案1

得分: 10

keyFunc应该返回库应该用来验证令牌签名的私钥。如何获取此密钥完全取决于您。

文档中的示例展示了jwt-go库提供的非标准功能(未在RFC 7519中定义)。使用头部中的kid字段(缩写为key ID),客户端可以指定令牌签名所使用的密钥。在验证时,您可以使用密钥ID来查找已知密钥之一(如何以及是否实现此密钥查找取决于您)。

如果您不想使用此功能,可以不使用它。只需从keyFunc返回一个静态字节流,而无需检查令牌头部:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    key, err := ioutil.ReadFile("your-private-key.pem")
    if err != nil {
        return nil, errors.New("无法加载私钥")
    }
    return key, nil
})
英文:

The keyFunc is supposed to return the private key that the library should use to verify the token's signature. How you obtain this key is entirely up to you.

The example from the documentation shows a non-standard (not defined in RFC 7519) additional feature that is offered by the jwt-go library. Using a kid field in the header (short for key ID), clients can specify with which key the token was signed. On verification, you can then use the key ID to look up one of (possible several) known keys (how and if you implement this key lookup is up to you).

If you do not want to use this feature, just don't. Simply return a static byte stream from the keyFunc without inspecting the token headers:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    key, err := ioutil.ReadFile("your-private-key.pem")
    if err != nil {
        return nil, errors.New("private key could not be loaded")
    }
    return key, nil
})

huangapple
  • 本文由 发表于 2016年1月3日 23:41:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/34578326.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定