search

kataras / iris

The fastest HTTP/2 Go Web Framework. New, modern and easy to learn. Fast development with Code you control. Unbeatable cost-performance ratio :rocket:
https://www.iris-go.com
BSD 3-Clause "New" or "Revised" License
25.19k stars 2.47k forks source link

JWT middleware doesn't support RS256 tokens (auth0) #2192

Open mark2b opened 1 year ago

mark2b commented 1 year ago

I have client native application and RESTful backend uses iris for REST API Client protected by user authentication by Auth0.com Server protected by JWT, received by client during login. Auth0.com for native application generates JTW token in RS256 format only

iris validates this token and failes on the header validation step.

iris assumes that header contains only "alg" and "typ" parts

{ "alg": "HS256", "typ": "JWT" }

but RS256 token received from auth0.com contains "kid" part as well

{ "alg": "RS256", "typ": "JWT", "kid": "*********" }

The problem itself happens in katanas/jwt, but although this package allows pass header validation function. iris/middleware/jwt doesn't allow pass header validation function to fix this problem.

kataras commented 1 year ago

Hello @mark2b,

The iris/middleware/jwt package allows passing header validators on two spots:

  1. through its NewVerifier function, which is used to create token verifier. See its last argument at: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L89

  2. trough its Verifier.Verify method which can be used for further customization on specific route handlers: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L186

For extra information, the kid is supported through the jwt.Keys implementation (this implementation is mostly used for Amazon Cognito's JWTs).

If any of the above didn't help, please post an example of your validator which you can pass on kataras/jwt but not on iris/middleware/jwt so I can provide further assistance.

Thank you, Gerasimos Maropoulos

mark2b commented 1 year ago

Hi Gerasimos, Thanks for quick answer

The problem is: Verifier calls jwt.VerifyEncrypted

func (v *Verifier) VerifyToken(token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return jwt.VerifyEncrypted(v.Alg, v.Key, v.Decrypt, token, validators...) }

and jwt.VerifyEncrypted calls verifyToken with enforced nil for header validator func VerifyEncrypted(alg Alg, key PublicKey, decrypt InjectFunc, token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return verifyToken(alg, key, decrypt, token, nil, validators...) }

I'm a new in JWT. Sure I'm missing something.

Thanks you Mark

aristotekean commented 8 months ago

Hello @mark2b , I'm new working with Go and consequently with Iris, I'm going to do the auth wito Autho0.com and I found this example which maybe can help you.

https://github.com/auth0/go-jwt-middleware/tree/master/examples/iris-example