How to parse the JWT payload with keyset json file?

[Modeux]

I use the blew code to generate the key and copy the content to a json file.

func NewJwkKeySet() {
	raw, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		fmt.Printf("failed to generate new RSA privatre key: %s\n", err)
		return
	}
	key, err := jwk.New(raw)
	if err != nil {
		fmt.Printf("failed to create symmetric key: %s\n", err)
		return
	}

	if _, ok := key.(jwk.RSAPrivateKey); !ok {
		fmt.Printf("expected jwk.SymmetricKey, got %T\n", key)
		return
	}
	key.Set(jwk.KeyIDKey, "mykey")
	key.Set(jwk.AlgorithmKey, jwa.RS256)

	buf, err := json.MarshalIndent(key, "", "  ")
	if err != nil {
		fmt.Printf("failed to marshal key into JSON: %s\n", err)
		return
	}
	fmt.Printf("%s\n", buf)
}

the key.json format look like this

{
  "keys": [
    {
      "alg": "RS256",
      "d": "fia3dJiWCp3lIRDvoF6E_94_psKXGFccbTA2DpAZnlj7-Iqku2E6N7IZlrnRx38l_GAIxbD1XJutxOwbDTl3lA5hcPRenxSbtiDUC2_aoeNlEiwHsM4JQh0yL5qbdtu2zR_KjkyNF__i8CE_mCY7NFpw0lzs_a6fOYkc3iTTBOE3D9SXjBGYyJCNgYR3BunCr_FKfle1PvaOsIuaGsT2kA6lSGqxWINzLdNzstHO7C22Ry69zLR3Q6s3MYIHfc6TP4t5Q1KXBfKQur7rd460bg-zDQTMVmMEFUVQGWrkIzFr4Z1CErj284cKLRo4pI85GSvacg1InUJG-UIZGVLkQQ",
      "dp": "XRvU8WaLrv-3NszQJcfDe0jletCUsgPFi4PREWYNXXxFM4BU7WcQHqx5qDbSED56l8B_5Tyfknw74SBr53wj2JUNDMmFjgGmGNRnSgrLO0PqQqmHBovDQwSqbPWTGjxQR9Bb3FbYySG7diNQJp6CYTB6RT1kFliVt_ZKQI1YlIU",
      "dq": "JsEkJM8SmxMQGC_mivOUoIa8G4cxctU3jtyS4Xax3kxdaaSN548JHdVQ_ydr9DU4u7SCrFa882jXqbqtaxee-L_Ocia72fGFWF1o2mTfiZaWOWfNlw5gIaftLFtr755D5WQyCD1fMMEd8bZc4dTEqcxl1Gzhuk4kaQ5y3qtI7uk",
      "e": "AQAB",
      "kid": "mykey",
      "kty": "RSA",
      "n": "ottEQ-VOknDlTGhy5oZYe2HRFl7vGfYKFkWgXPqa7OvZzcmVyjGWnHzyDlGDc2m2p-nWfy_Pfycsh8ztTFHMIL9UTR9vMJPys3GalObTtAaxB0b1-BoH7Y5RX69fNE8t8ZIWMti2xaPk2ZXWt5CsUETEz_OSSHPEDXnVspzLflQDdpyHiZbaYzMt6vToXkXeHeub0kmyu9zEmom2An0enIJxh8-d7-xyFKEhMknPY4791jbbff_CqNoy0FWgRNEMbC_FNf3_M6uFxj8_3IsdyfvnkIhOQCkxK1XkR3eLzToeR_o_24hZy735KeuNp0ntKCUwbsLAbtdxbWd6QpgyZQ",
      "p": "y6BOBdJfvjdBlkIg-uHUTem1wt5lsp-6bAJCoGhqcD-Us4wPzUGPtkxkVOs3yNpO3lNJ4kI2i9fEUKVcpSYAOnCfzIbBheInD7s_xnlVsVBs_jrW8-s0kfGBvDjTpy9ONbR_Hy2wBdSgBXT2A1H53R5qgiMWeULhr7_qDWidiz0",
      "q": "zL5_HzUWJXg71NPfc-De9m6V1DG2ss-yfVnTrD83rZTOaOrBXpkZF3kX7YSdU98qYvVrzcH-BZvkZlMQ-rfAcjhnjgbE2SC8aXhGqA-PCyA10hqu74KtJMvzSyaoqmxVWM1drfoWCvGhaveSYZBS2RSGptfILmORH1Lli8bJVkk",
      "qi": "phWSjqal8_pyniyp-MV1AVX-03kgdYWTkPTgnO3RizwKwOnQjdhfki7FoAs-lHakGRKCAfi9YMtnRWO2Vmp-UJ3EE7wkFaQaS-0h9eG94MoYpx5BudYkEyZ2Jpn3d5AnPqpcHkG7phOl6wfU8T53cGkg7WIAZlSTJjaRcPdf_zI"
    }

  ]
}

Using the keyset to create the JWT

func jwtSignWithJwk() []byte {
	keyset, err := jwk.ReadFile("key.json")
	if err != nil {
		fmt.Printf("failed to load keyset: %s\n", err)
		return nil
	}

	if key, ok := keyset.Get(0); ok {
		token := jwt.New()
		token.Set(jwt.SubjectKey, `https://github.com/lestrrat-go/jwx/jwt`)
		token.Set(jwt.AudienceKey, `Golang Users`)
		token.Set(jwt.IssuedAtKey, time.Unix(500, 0))


		signed, err := jwt.Sign(token, jwa.RS256, key)
		if err != nil {
			fmt.Println(err)
			return nil
		}
		return signed
	}
	return nil
}

then I try to parse the JWT payload

func parseJwtWithJWKS(t []byte) {
	keySet, err := jwk.ReadFile("/Users/huntwu/Desktop/playground/newjwt/key.json")
	if err != nil {
		fmt.Printf("failed to load keyset: %s\n", err)
		return
	}

	if key, ok := keySet.Get(0); ok {
		var rawkey interface{} // This is the raw key, like *rsa.PrivateKey or *ecdsa.PrivateKey
		if err := key.Raw(&rawkey); err != nil {
			log.Printf("failed to create public key: %s", err)
			return
		}
	}


	token, err := jwt.Parse(t, jwt.WithKeySet(keySet), jwt.InferAlgorithmFromKey(true))
	if err != nil {
		fmt.Printf("failed to parse payload: %s\n", err)
		return
	}
	fmt.Println(token)
}

the result is an error

failed to parse payload: failed to verify jws signature: failed to verify message: failed to retrieve rsa.PublicKey out of *jwk.rsaPrivateKey: failed to produce rsa.PublicKey from *jwk.rsaPrivateKey: argument to AssignIfCompatible() must be compatible with *rsa.PrivateKey (was *rsa.PublicKey)

If I remove the key.Set(jwk.AlgorithmKey, jwa.RS256)

and use token, err := jwt.Parse(t, jwt.WithKeySet(keySet), jwt.InferAlgorithmFromKey(true))

to parse the payload the error will change to failed to parse payload: failed to match any of the keys

I look the document several times, still could not figure out why this error cause.

Did I do anything wrong?

[Modeux]

Ok, I have figured it out by myself.

For someone not familiar with JWK and JWT, I'll describe my steps more clearly.

1. Create the RSA key pair.

raw, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		fmt.Printf("failed to generate new RSA privatre key: %s\n", err)
		return
	}
	key, err := jwk.New(raw)
	if err != nil {
		fmt.Printf("failed to create symmetric key: %s\n", err)
		return
	}

	if _, ok := key.(jwk.RSAPrivateKey); !ok {
		fmt.Printf("expected jwk.SymmetricKey, got %T\n", key)
		return
	}
	key.Set(jwk.KeyIDKey, "mykey")
	key.Set(jwk.AlgorithmKey, jwa.RS256)

	buf, err := json.MarshalIndent(key, "", "  ")
	if err != nil {
		fmt.Printf("failed to marshal key into JSON: %s\n", err)
		return
	}
	fmt.Printf("%s\n", buf)

	pubKey, _ := key.PublicKey()
	pubBuf, err := json.MarshalIndent(pubKey, "", "  ")
	if err != nil {
		fmt.Printf("failed to marshal key into JSON: %s\n", err)
		return
	}

the key point is you need to save the private key and the public key into two JSON files.
you must add the kid with key.Set(jwk.KeyIDKey, "mykey") in the key field

2. Sign the JWT with the private key JSON

func jwtSignWithJwk() []byte {
	keyset, err := jwk.ReadFile("private_key.json")
	if err != nil {
		fmt.Printf("failed to load keyset: %s\n", err)
		return nil
	}

	if key, ok := keyset.Get(0); ok {
		token := jwt.New()
		token.Set(jwt.SubjectKey, `https://github.com/lestrrat-go/jwx/jwt`)
		token.Set(jwt.AudienceKey, `Golang Users`)
		signed, err := jwt.Sign(token, jwa.RS256, key)
		if err != nil {
			fmt.Println(err)
			return nil
		}
		return signed
	}
	return nil
}

3. Parse and validate the token

func parseJwtWithJWKS(t []byte) {
	keySet, err := jwk.ReadFile("/Users/huntwu/Desktop/playground/newjwt/pub_key.json")
	if err != nil {
		fmt.Printf("failed to load keyset: %s\n", err)
		return
	}

	token, err := jwt.Parse(t, jwt.WithKeySet(keySet))
	if err != nil {
		fmt.Printf("failed to parse payload: %s\n", err)
		return
	}
	if err := jwt.Validate(token); err != nil {
		fmt.Println(`failed to validate token`)
		return
	}
}

[lestrrat]

Sorry about the late reply, but yeah, I think you solved your problem
Yes, you sign with a private key, you verify with a public key.

I think you saved a JWKS with a single private key in the key.json file, yeah?
In that case, your original code almost worked if you used jwk.PublicSetOf(keyset) to get a JWKS with all keys converted into public keys.

Also, since you only have 1 key, it would have been easier if you just skipped using JWKS and use a single JWK instead (if using JWKS is not a requirement).

In pseudocode:

privJWK, _ := jwk.New( rsaPrivateKey )
keyFile, _ := io.Open(...)
json.NewEncoder(keyFile).Encode(privJwk)

signed, _  := jwt.Sign(token, alg, privJwk)

jwkFromFile, _ := jwk.ReadFile(`key.json`)
pubJWK, _ := jwk.PublicKeyOf(jwkFromFile)

jwt.Parse(signed, jwt.WithVerify(alg, pubJWK))

[Modeux]

Thx for your reply and for spending time looking at my question.

I'll update my code as you suggest.