search

auth0 / go-jwt-middleware

A Middleware for Go Programming Language to check for JWTs on HTTP requests
MIT License
1.08k stars 205 forks source link

Custom claims not decoded #153

Closed jpmeijers closed 2 years ago

jpmeijers commented 2 years ago

Describe the problem

Decoded access token does not contain custom claims.

What was the expected behavior?

I want to see the custom claims that were added by the auth0 actions.

Reproduction

I have an access token that looks like this: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdOU1ZEMHpoMnJmSG9JWjM3YjBqWiJ9.eyJodHRwczovL2F1dGguZWJ1Zy5jby56YS9lbWFpbCI6ImpwbWVpamVyc0Bob21lYnVnLmNvLnphIiwiaHR0cHM6Ly9hdXRoLmVidWcuY28uemEvZW1haWxfdmVyaWZpZWQiOnRydWUsImlzcyI6Imh0dHBzOi8vYXV0aC5lYnVnLmNvLnphLyIsInN1YiI6ImF1dGgwfDEyMTEiLCJhdWQiOiJodHRwczovL2FwaS5lYnVnLmNvLnphIiwiaWF0IjoxNjU0MDE0MDM2LCJleHAiOjE2NTQxMDA0MzYsImF6cCI6InFyZGJkeGllZGtTQVBtbHhVckw0OTJVSjR3WHRWajVBIiwic2NvcGUiOiJlbWFpbCIsImd0eSI6InBhc3N3b3JkIiwicGVybWlzc2lvbnMiOltdfQ.MvKzvEbmmZRgOOGvG35npCkS3FfDmEJt1dpc_uRey5MZLvuO_a2Z8L-Z7TizVBkWhIHWL8mxopzjI9PLx_VzeexL8XKt7mrg0eiabu6sLlky29pXGjfh1SDDMhV4MTWMc_G94riNs-LfSZ7sevZMOn2TyCGEcSwJf5uW-xbcBQLeHIDMIhm1vAqFvJj_qsE68KFO2O0g1JZbSjakRBUq_aL0CsSpOScKXKk9Bi19L0U_mjYeUxYD24sMyZ6wbOot5_OPgIV3ouBUEuLR8RA0itGj7n22flRdzTR6inAB-KJdQZ7reFcP7YrKzTyrKA5p3nb245sJhvGPGmYIaZSBvw

I call the golang API which prints out the json marshalled claims:

func TestUserAuthedRoute(w http.ResponseWriter, r *http.Request) {
    claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
    log.Println(claims.RegisteredClaims.Subject)

    payload, err := json.Marshal(claims)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }

    w.Header().Set("Content-Type", "application/json")
    w.Write(payload)
}

The result is:

{
    "CustomClaims": {
        "scope": "email"
    },
    "RegisteredClaims": {
        "iss": "https://auth.ebug.co.za/",
        "sub": "auth0|1211",
        "aud": [
            "https://api.ebug.co.za"
        ],
        "exp": 1654100251,
        "iat": 1654013851
    }
}

I am expecting to see the custom claims, like jwt.io shows when decoding this same access token:

{
  "https://auth.ebug.co.za/email": "jpmeijers@homebug.co.za",
  "https://auth.ebug.co.za/email_verified": true,
  "iss": "https://auth.ebug.co.za/",
  "sub": "auth0|1211",
  "aud": "https://api.ebug.co.za",
  "iat": 1654014036,
  "exp": 1654100436,
  "azp": "qrdbdxiedkSAPmlxUrL492UJ4wXtVj5A",
  "scope": "email",
  "gty": "password",
  "permissions": []
}

Environment

grounded042 commented 2 years ago

Hey @jpmeijers. Have you followed the example which shows custom claims? https://github.com/auth0/go-jwt-middleware/blob/master/examples/http-example/main.go Note that you need to have a struct pre-defined which the custom claims can map to.

jpmeijers commented 2 years ago

Thanks, I wasn't aware of that example. Maybe we should note something about this in the README.

Is there a way to parse all the custom claims, without having to pre-define them? Like we would have unmarshalled unknown json to an interface{}.

grounded042 commented 2 years ago

Hey @jpmeijers sorry for the late reply - I was out on vacation for a bit. Yes, you could get all claims by doing something like the following:

type AllClaims map[string]json.RawMessage

func (a *AllClaims) Validate(ctx context.Context) error {
    // do validation
    return nil
}
    customClaims := func() validator.CustomClaims {
        return &AllClaims{}
    }

    // Set up the validator.
    jwtValidator, err := validator.New(
        keyFunc,
        validator.HS256,
        "go-jwt-middleware-example",
        []string{"audience-example"},
        validator.WithCustomClaims(customClaims),
        validator.WithAllowedClockSkew(30*time.Second),
    )
jpmeijers commented 2 years ago

Ah great. Thanks a lot for the example.