iris icon indicating copy to clipboard operation
iris copied to clipboard

Published 20 hours ago verified publisher icon kataras

JWT middleware doesn't support RS256 tokens (auth0)

Open mark2b opened this issue 2 years ago • 3 comments
trafficstars

I have client native application and RESTful backend uses iris for REST API Client protected by user authentication by Auth0.com Server protected by JWT, received by client during login. Auth0.com for native application generates JTW token in RS256 format only

iris validates this token and failes on the header validation step.

iris assumes that header contains only "alg" and "typ" parts

{ "alg": "HS256", "typ": "JWT" }

but RS256 token received from auth0.com contains "kid" part as well

{ "alg": "RS256", "typ": "JWT", "kid": "*********" }

The problem itself happens in katanas/jwt, but although this package allows pass header validation function. iris/middleware/jwt doesn't allow pass header validation function to fix this problem.

mark2b avatar Aug 20 '23 19:08 mark2b

Hello @mark2b,

The iris/middleware/jwt package allows passing header validators on two spots:

  1. through its NewVerifier function, which is used to create token verifier. See its last argument at: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L89

  2. trough its Verifier.Verify method which can be used for further customization on specific route handlers: https://github.com/kataras/iris/blob/79404f91c138cb042c747ef95f4974d8f599236b/middleware/jwt/verifier.go#L186

For extra information, the kid is supported through the jwt.Keys implementation (this implementation is mostly used for Amazon Cognito's JWTs).

If any of the above didn't help, please post an example of your validator which you can pass on kataras/jwt but not on iris/middleware/jwt so I can provide further assistance.

Thank you, Gerasimos Maropoulos

kataras avatar Aug 21 '23 06:08 kataras

Hi Gerasimos, Thanks for quick answer

The problem is: Verifier calls jwt.VerifyEncrypted

func (v *Verifier) VerifyToken(token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return jwt.VerifyEncrypted(v.Alg, v.Key, v.Decrypt, token, validators...) }

and jwt.VerifyEncrypted calls verifyToken with enforced nil for header validator func VerifyEncrypted(alg Alg, key PublicKey, decrypt InjectFunc, token []byte, validators ...TokenValidator) (*VerifiedToken, error) { return verifyToken(alg, key, decrypt, token, nil, validators...) }

I'm a new in JWT. Sure I'm missing something.

Thanks you Mark

mark2b avatar Aug 21 '23 07:08 mark2b

Hello @mark2b , I'm new working with Go and consequently with Iris, I'm going to do the auth wito Autho0.com and I found this example which maybe can help you.

https://github.com/auth0/go-jwt-middleware/tree/master/examples/iris-example

aristotekean avatar Feb 02 '24 22:02 aristotekean