search

dgrijalva / jwt-go

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
https://github.com/golang-jwt/jwt
MIT License
10.78k stars 996 forks source link

The encode method changed when the *Token is generated. #158

Closed Wstunes closed 5 years ago

Wstunes commented 8 years ago

Take an example: if the claim has an Unix property like {"exp":1500000} and when the Token is generated token = jwt.NewWithClaims(jwt.SigningMethodRS256, claims) the tokenString is A.B.C but after the token is parsed and I extract the signingString(token.signingString) it's A.B' when I decode B' with Base64 , it's like {"exp":1.5e6} with scientific notation The notation has been changed and it makes the verification with RS256 fail. how to deal with it?

dgrijalva commented 8 years ago

The default behavior is the same as the default behavior of encoding/json, which is to say, all numbers are decoded as float64. If you cast your input type to match, it will test just fine. Alternatively, you can use the json number flag on Parser to use that behavior.

-dave

On Jul 31, 2016, at 6:12 PM, Wstunes notifications@github.com wrote:

Take an example: if the claim has an Unix property like {"exp":1500000} and when the Token is generated token = jwt.NewWithClaims(jwt.SigningMethodRS256, claims) the tokenString is A.B.C but after the token is parsed and I extract the signingString(token.signingString) it's A.B' when I decode B' with Base64 , it's like {"exp":1.5e6} with scientific notation The notation has been changed and it makes the verification with RS256 fail. how to deal with it?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Wstunes commented 8 years ago

But the RSA Verify method func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error It requires the signingString. Since the signingString is different, so the verification always fails. That's the problem. @dgrijalva

dgrijalva commented 8 years ago

I don't understand what you're trying to do

-dave

On Jul 31, 2016, at 9:22 PM, Wstunes notifications@github.com wrote:

But the RSA Verify method func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error It requires the signingString. Since the signingString is different, so the verification always fails. That's the problem. @dgrijalva

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

Wstunes commented 8 years ago

Let me explain the flow. I want to sign a JWT and Verify it with RSAMethod.

  1. Create it a claim containing exp with Unix time. claim := {"exp":1500000} 2.Create a jwt token = jwt.NewWithClaims(jwt.SigningMethodRS256, claims) then sign it with private key. The tokenString is A.B.C
  2. Parse the token with token :=Parse(tokenString string, keyFunc Keyfunc) (Token, error) and get the Token
  3. Verify the token with func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error. This func requires signingString which is token.signingString. But now token.signingString is A.B'. And B' denotes {"exp":1.5e6} which is different from the original claim. When I pass the token.signingString as parameter, the verification always fails. That's the problem. @dgrijalva
dgrijalva commented 8 years ago

The token is verified as part of Parse. You don't need to do it again.

Wstunes commented 8 years ago

I originally thought it works like that. But it comes to an unpaired private/public key. The token returned by Parse func is still valid(token.valid is true). So I have to verify it again with func (m *SigningMethodRSA) Verify. Maybe some errors in the Parse func when the method is RSA256?

dgrijalva commented 8 years ago

That shouldn't be the case. Can you provide a failing test?

dgrijalva commented 5 years ago

Closing super old ticket. Please feel free to reopen and provide a failing example. Thanks