Open mark2b opened 1 year ago
Hello @mark2b,
The iris/middleware/jwt package allows passing header validators on two spots:
through its NewVerifier
function, which is used to create token verifier. See its last argument at: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L89
trough its Verifier.Verify
method which can be used for further customization on specific route handlers: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L186
For extra information, the kid
is supported through the jwt.Keys implementation (this implementation is mostly used for Amazon Cognito's JWTs).
If any of the above didn't help, please post an example of your validator which you can pass on kataras/jwt but not on iris/middleware/jwt so I can provide further assistance.
Thank you, Gerasimos Maropoulos
Hi Gerasimos, Thanks for quick answer
The problem is: Verifier calls jwt.VerifyEncrypted
func (v *Verifier) VerifyToken(token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return jwt.VerifyEncrypted(v.Alg, v.Key, v.Decrypt, token, validators...) }
and jwt.VerifyEncrypted calls verifyToken with enforced nil for header validator
func VerifyEncrypted(alg Alg, key PublicKey, decrypt InjectFunc, token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return verifyToken(alg, key, decrypt, token, nil, validators...) }
I'm a new in JWT. Sure I'm missing something.
Thanks you Mark
Hello @mark2b , I'm new working with Go and consequently with Iris, I'm going to do the auth wito Autho0.com and I found this example which maybe can help you.
https://github.com/auth0/go-jwt-middleware/tree/master/examples/iris-example
I have client native application and RESTful backend uses iris for REST API Client protected by user authentication by Auth0.com Server protected by JWT, received by client during login. Auth0.com for native application generates JTW token in RS256 format only
iris validates this token and failes on the header validation step.
iris assumes that header contains only "alg" and "typ" parts
{ "alg": "HS256", "typ": "JWT" }
but RS256 token received from auth0.com contains "kid" part as well
{ "alg": "RS256", "typ": "JWT", "kid": "*********" }
The problem itself happens in katanas/jwt, but although this package allows pass header validation function. iris/middleware/jwt doesn't allow pass header validation function to fix this problem.