In today's Internet application development, security is receiving more and more attention. JSON Web Tokens (JWT) have become one of the common authentication and authorization schemes in most web API designs. JWT is an open standard (RFC 7519) that defines a compact and self-contained way to securely communicate information between parties.
Go language is a very powerful server-side programming language, and it is very easy to implement JWT easily. In this article, we will introduce how to implement JWT in Golang.
1.Introduce dependencies
First, you need to introduce the following libraries:
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"time"
"github.com/dgrijalva/jwt-go"
)- crypto/rsa: Contains the functions of generating and parsing RSA public and private keys .
- crypto/x509: Contains certificate functions in PKIX format
- encoding/base64: used to encode and decode parts of the JWT
- encoding/pem: used to extract and Store certificates in PEM format
- errors: used to process returned error messages
- fmt: standard formatting function
- time: standard time function
- github .com/dgrijalva/jwt-go: JWT’s main dependency
2. Create a key file
First, you need to create a private key file. Use the following command to generate the private key file:
openssl genrsa -out app.rsa 1024
This will generate a 1024-bit RSA key named app.rsa. We will use this key to generate the JWT.
- Generate JWT token
Now, we can create the JWT token using the following code:
func GenerateJWT() (string, error) {
token := jwt.New(jwt.SigningMethodHS256)
claims := token.Claims.(jwt.MapClaims)
claims["authorized"] = true
claims["user"] = "user@example.com"
claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
tokenString, err := token.SignedString([]byte("secret"))
if err != nil {
return "", err
}
return tokenString, nil
}This function creates the JWT token using the HS256 algorithm . First, we create a new JWT token object. We then add the statement to its claims. In this example, we declare that "Authorization" is set to "True", the user is set to "user@example.com", and the JWT's expiration time is set to 1 hour later. Finally, we sign the JWT using the provided "secret" ("secret" in this example) and return that string.
- Parsing JWT token
We can use the following code to parse the JWT token:
func ParseJWT(tokenString string) (jwt.MapClaims, error) {
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte("secret"), nil
})
if err != nil {
return nil, err
}
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
return claims, nil
}
return nil, errors.New("invalid token")
}The function accepts the JWT token string and then Try parsing the JWT. Here we use HS256 algorithm to decrypt jwt. First, we need to verify whether the Token is signed using the HMAC algorithm, otherwise an error will be returned. Next, we return an encryption key ("secret" in this example). When parsing is successful, the function returns a verified and unexpired claim. If parsing fails, the function returns an error message.
- More advanced encryption methods
In addition to the HS256 algorithm, there are many other encryption algorithms that you can use to encrypt the JWT payload. For example, a JWT signed using the RSA algorithm is more secure than using the HS256 algorithm. Here is a way to generate a JWT token using the RSA algorithm:
func GenerateJWT() (string, error) {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return "", err
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
"authorized": true,
"user": "user@example.com",
"exp": time.Now().Add(time.Hour * 1).Unix(),
})
tokenString, err := token.SignedString(privateKey)
if err != nil {
return "", err
}
return tokenString, nil
}Here, we first generate a 2048-bit RSA private key. We then sign the JWT token using the RS256 algorithm. Finally, we sign the JWT token using the private key.
When parsing the JWT token, a different approach also needs to be taken:
func ParseJWT(tokenString string) (jwt.MapClaims, error) {
publicKey := `
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArtpZKxF+1MDwcJ61KeJt
GjHYiAL46jEewsjF9oBz59J2y5/v/tE/RQjJjOtGvLQ5LfPYBK+j+Z6QIwU1ZzCJ
I0MT5mn81znZCsy7zcZI7+kRPG8Fk5JzKM2ug7RAuYqnOjArL8+V+uS4Moh2RWdN
yZizvjajzKtbH5zLC49Dd3X/SrjzPQpzt8HY4Z7YxYej8/Akl3nxdx9Q/OPG2NYP
xtflmpLLJc7roqkfVwwMQeC1apHr/klI3FHPvK/pzBoUCUOpTfnyvHg8O1+PyMKJ
CldHEhuzUsTR5jM5fXv0M4+vL36QO8k1WhO4gcQTD6X7fIWqFhfrRM/jreG+bv8c
7wIDAQAB
-----END PUBLIC KEY-----
`
block, _ := pem.Decode([]byte(publicKey))
if block == nil {
return nil, errors.New("failed to decode PEM block containing public key")
}
pub, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return pub, nil
})
if err != nil {
return nil, err
}
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
return claims, nil
}
return nil, errors.New("invalid token")
}In this function, we need to extract the RSA public key first and then pass it to the jwt.Parse function. When parsing the token, the jwt-go library will automatically use the public key for verification. Note that the public key used here is provided in PKIX format. You can use a tool like OpenSSL to export the PEM public key to PKIX format.
6. Summary
In this article, we introduced how to create and parse JWT tokens in Golang using HS256 and RS256 algorithms. This is a common authentication and authorization scheme that you can use in future web applications. Hope this article is helpful to you.
The above is the detailed content of golang implements jwt. For more information, please follow other related articles on the PHP Chinese website!
Understanding Goroutines: A Deep Dive into Go's ConcurrencyMay 01, 2025 am 12:18 AMGoroutinesarefunctionsormethodsthatrunconcurrentlyinGo,enablingefficientandlightweightconcurrency.1)TheyaremanagedbyGo'sruntimeusingmultiplexing,allowingthousandstorunonfewerOSthreads.2)Goroutinesimproveperformancethrougheasytaskparallelizationandeff
Understanding the init Function in Go: Purpose and UsageMay 01, 2025 am 12:16 AMThepurposeoftheinitfunctioninGoistoinitializevariables,setupconfigurations,orperformnecessarysetupbeforethemainfunctionexecutes.Useinitby:1)Placingitinyourcodetorunautomaticallybeforemain,2)Keepingitshortandfocusedonsimpletasks,3)Consideringusingexpl
Understanding Go Interfaces: A Comprehensive GuideMay 01, 2025 am 12:13 AMGointerfacesaremethodsignaturesetsthattypesmustimplement,enablingpolymorphismwithoutinheritanceforcleaner,modularcode.Theyareimplicitlysatisfied,usefulforflexibleAPIsanddecoupling,butrequirecarefulusetoavoidruntimeerrorsandmaintaintypesafety.
Recovering from Panics in Go: When and How to Use recover()May 01, 2025 am 12:04 AMUse the recover() function in Go to recover from panic. The specific methods are: 1) Use recover() to capture panic in the defer function to avoid program crashes; 2) Record detailed error information for debugging; 3) Decide whether to resume program execution based on the specific situation; 4) Use with caution to avoid affecting performance.
How do you use the "strings" package to manipulate strings in Go?Apr 30, 2025 pm 02:34 PMThe article discusses using Go's "strings" package for string manipulation, detailing common functions and best practices to enhance efficiency and handle Unicode effectively.
How do you use the "crypto" package to perform cryptographic operations in Go?Apr 30, 2025 pm 02:33 PMThe article details using Go's "crypto" package for cryptographic operations, discussing key generation, management, and best practices for secure implementation.Character count: 159
How do you use the "time" package to handle dates and times in Go?Apr 30, 2025 pm 02:32 PMThe article details the use of Go's "time" package for handling dates, times, and time zones, including getting current time, creating specific times, parsing strings, and measuring elapsed time.
How do you use the "reflect" package to inspect the type and value of a variable in Go?Apr 30, 2025 pm 02:29 PMArticle discusses using Go's "reflect" package for variable inspection and modification, highlighting methods and performance considerations.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 English version
Recommended: Win version, supports code prompts!
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
