How to verify JWE token in Golang

Question content

I have 2 questions, but first I want to provide some background information:

On our web application, we use nextauth to generate a jwt token and then append it to the request to the golang server (used to get the resource).

The generated token appears to be a jwe token generated via a256gcm. In our golang server we want to validate the token and extract some custom claims for it. That said, we're trying to find a way to decrypt it. We use go-jose as follows:

rawToken := `eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..aiIqD7-cU8Hu92F8.Kx2k99cyLYJR1P0xK_1wUsVO521T7kYSKx-OEutVJcpzbX27hZH0kh2MlBLxQHdmc8q4uXglhjl4JE3nTp_c6nOjga-faHyxYqKrZGJFLlu9MC4JVUWyonX6doFq0gl3UX9ABtP2t35Qly-w1qKH8BdG9x4iB1YM-yvs1w-HpBbMFQR7U7X4oHWIh_YJQlWADesYq6da7A97GSSXs2Go6yb7SH5WWd7iQzDu-UO6eg._PqujCUyMUqOkID80vJiDw`
key := []byte("thisisaverylongtextusedforhashing")

enc, err := jwt.ParseEncrypted(rawToken)
if err != nil {
    panic(err)
}

out := jwt.Claims{}
if err := enc.Claims(key, &out); err != nil {
    panic(err)
}
fmt.Printf("iss: %s, sub: %s\n", out.Issuer, out.Subject)

we got: panic: square/go-jose: Error in cryptographic primitives

ps: The secret I passed to nextauth for jwe generation: thisisaverylongtextusedforhashing

The original jwe token output by nextauth, which I want to verify in my golang server: eyjhbgcioijkaxiilcjlbmmioijbmju2r0nnin0..aiiqd7-cu8hu92f8.kx2k99cylyjr1p0xk_1wusvo521t7kyskx-oeutvjcpzbx27hzh0kh2m lblxqh dmc8q4uxglhjl4je3ntp_c6nojga-fahyxyqkrzgjfllu9mc4jvuwyonx6dofq0gl3ux9abtp2t35qly-w1qkh8bdg9x4ib1ym-yvs1w-hpbbmfqr7u7x4ohwih_yjqlwadesyq 6da7a97gssxs2go6y b7sh5wwd7iqzdu-uo6eg._pqujcuymuqokid80vjidw.

Correct answer

Based on your comments, I have compiled a reply that can help you solve the problem. First, I used version 2 of the ngopkg.in/go-jose/go-jose.v2 package because (from what I could see) the algorithm a256gcm is the same as it should be The latest versions of version 3 packages are not fully compatible. You can find the relevant code:

package main

import (
    "crypto/rand"
    "crypto/rsa"
    "fmt"
    "io"
    "os"
    "time"

    "github.com/golang-jwt/jwt"
    jose_jwt "gopkg.in/go-jose/go-jose.v2"
)

type CustomClaims struct {
    Username string `json:"username"`
    Password string `json:"password"`
    jwt.StandardClaims
}

func main() {
    privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        panic(err)
    }

    // generate token
    token, err := generateToken()
    if err != nil {
        panic(err)
    }

    publicKey := &privateKey.PublicKey
    encrypter, err := jose_jwt.NewEncrypter(jose_jwt.A256GCM, jose_jwt.Recipient{
        Algorithm: jose_jwt.RSA_OAEP_256,
        Key:       publicKey,
    }, nil)
    if err != nil {
        panic(err)
    }

    plainText := []byte(token)
    object, err := encrypter.Encrypt(plainText)
    if err != nil {
        panic(err)
    }

    serialized := object.FullSerialize()

    object, err = jose_jwt.ParseEncrypted(serialized)
    if err != nil {
        panic(err)
    }

    decrypted, err := object.Decrypt(privateKey)
    if err != nil {
        panic(err)
    }

    fmt.Println(string(decrypted))

    // parse token
    claims, err := ValidateToken(string(decrypted))
    if err != nil {
        panic(err)
    }

    fmt.Println(len(claims))
}

Here, we first generate a private key to encrypt the token and then decrypt it via its public key. For the sake of brevity, I've omitted the code for generating and validating the jwt token. To test this solution, I added two custom claims (username and password defined in the customclaims structure) to the generated token. Then when we parse the tokens we will be able to retrieve their values.
If this helps you, please let me know!

The above is the detailed content of How to verify JWE token in Golang. For more information, please follow other related articles on the PHP Chinese website!