search

kataras / jwt

A fast and simple JWT implementation for Go
MIT License
204 stars 19 forks source link

CompareHeader function fails when key id (kid) included #9

Closed ghost closed 2 years ago

ghost commented 3 years ago 
$ go version
go version go1.17 darwin/amd64

$ cat go.mod | grep kataras
    github.com/kataras/iris/v12 v12.2.0-alpha2.0.20210717090056-b2cc3a287149

The header block returned from Auth0 includes a key id (kid). This causes the exact byte match in the compareHeader func to fail.

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "<REDACT>"
}

https://github.com/kataras/jwt/blob/main/token.go#L229-L232

kataras commented 2 years ago

Hello @jwixel, You can customize how the header is compared (see the headerDecoded[]byte): https://github.com/kataras/jwt/blob/da1ee79b9db12bd50748fee8a6e8047014414501/_examples/basic/rs512-verify/main.go#L21-L28

kataras commented 2 years ago

@jwixel you can also use the jwt.Keys feature to work with multiple token ids (e.g. amazon cognito server-side app).