Home > Article > Backend Development > Azure JWT validation in Go not working
Azure JWT validation in Go not working
- WBOYforward
- 2024-02-09 11:12:091012browse
When using Go language to develop Azure applications, we often encounter the problem that JWT (JSON Web Token) verification does not work. JWT is a secure transport method for passing claims between web applications, but sometimes you encounter various issues when using Azure's JWT validation in Go. This article will introduce you to some possible reasons why JWT verification does not work, and provide corresponding solutions to help you solve this common problem. This article has been carefully compiled by PHP editor Apple, and I hope it will be helpful to you.
Question content
I have a go http server. I want to secure my route using azure jwt token. I am able to generate the token but cannot verify it.
This is what I did:
package main
import (
"context"
"errors"
"fmt"
"github.com/dgrijalva/jwt-go"
"github.com/lestrrat-go/jwx/jwa"
"github.com/lestrrat-go/jwx/jwk"
njwt "github.com/lestrrat-go/jwx/jwt"
)
const token = "<access-token>"
const jwksurl = `https://login.microsoftonline.com/common/discovery/keys`
func main() {
set, _ := jwk.fetch(context.todo(), jwksurl)
// verified that set has required kid
verify2(token, set)
token, err := verify(token, set)
// token, err := jwt.parse(token, getkey)
if err != nil {
panic(err)
}
claims := token.claims.(jwt.mapclaims)
for key, value := range claims {
fmt.printf("%s\t%v\n", key, value)
}
}
func verify2(token string, keyset jwk.set) {
btoken := []byte(token)
parsedtoken, err := njwt.parse(
btoken, //token is a []byte
njwt.withkeyset(keyset),
njwt.withvalidate(true),
)
fmt.printf("%v %v", parsedtoken, err)
}
func verify(tokenstring string, keyset jwk.set) (*jwt.token, error) {
tkn, err := jwt.parse(tokenstring, func(token *jwt.token) (interface{}, error) {
if token.method.alg() != jwa.rs256.string() {
return nil, fmt.errorf("unexpected signing method: %v", token.header["alg"])
}
kid, ok := token.header["kid"].(string)
if !ok {
return nil, errors.new("kid header not found")
}
keys, ok := keyset.lookupkeyid(kid)
if !ok {
return nil, fmt.errorf("key %v not found", kid)
}
var raw interface{}
err := keys.raw(&raw)
return raw, err
})
return tkn, err
}
verify2(..) gives 2d77b2345c34a631c3d251f57ce68620 failed to match any keys and
verify(..) gives crypto/rsa: Verification error
My jwt header:
{
"typ": "JWT",
"nonce": "...",
"alg": "RS256",
"x5t": "-KI3Q9nNR7bRofxmeZoXqbHZGew",
"kid": "-KI3Q9nNR7bRofxmeZoXqbHZGew"
}Workaround
You are using the wrong type of Azure AD access token. Content with nonces in JWT headers are not intended to be verified by your own API - they are intended for Microsoft's own API.
You need to expose an API scope to resolve this issue, after which you will get an access token without the nonce in the JWT header. My blog post has some further relevant information.
The above is the detailed content of Azure JWT validation in Go not working. For more information, please follow other related articles on the PHP Chinese website!