simple question

[aphuang2013]

I know how to build a token with library set and it is completed. However, it did not have a String() function, so I cannot generated it for other to use, I also cannot take a generated jwt and do some testing. Is there something really simple that I missed?

[gbolo]

string(token)

…

On Tue., Jan. 25, 2022, 7:34 p.m. aphuang2013, ***@***.***> wrote: I know how to build a token with library set and it is completed. However, it did not have a String() function, so I cannot generated it for other to use, I also cannot take a generated jwt and do some testing. Is there something really simple that I missed? — Reply to this email directly, view it on GitHub <#561>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADHZQ75GJC6A5Y2N2KDDEHDUX46QJANCNFSM5MZWTGNQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[lestrrat]

I guess it depends on what you mean by "otherse to use".

Serializing the token with JWS:

jwt.Sign(token, ....)

or, perhaps you just want to get the JSON?

json.Marshal(token)

[aphuang2013]

thx for the answer, looking at the code, the Sign return byte array which can be print. the Marshal usage is interesting since it takes Token as input and print out json output but nothing with signed output. I think I will need to use the sign function.

[gbolo]

yea, this is the most common use case:

	signedJwt, err := jwt.Sign(*token, signatureAlg, signingKey)
	if err != nil {
		...
	}
	return string(signedJwt)

[aphuang2013]

thx, the signedJwt will work. is there any example of verify jwt token using JWK? I have a signed token but not sure how to verify it.

[lestrrat]

No offense, but if you are asking these questions, it really means you should be reading more about how JWTs work before writing code.

For this module I have created a whole section of FAQ style docs, including description about the relationship between JWT/JWS/JWE/JWK, how to perform common JWT operation, etc. There's also a bunch of code in the examples directory. But if you are doing this for $real_job and not a hobby project, I really suggest you read up more on the various aspects of JWT, as it usually directly has a security impact.

[aphuang2013]

1. thx for the comments, sorry about the naive questions
2. to my defense, I actually understand jwt/rfc7519 pretty well and does a lot of jwt processing (not creating since protection of private key is better done elsewhere). one of my mistake is mis-understand the jwt.token which I only deal with signed jwt and that is not correct, thus the question.
3. I admit that I have not spend enough time on jws/rfc7515 where I will need to be better so not to ask native question
4. I have done some processing of jwk/rfc7517 but have not find an easy way to handle the keyset (beside iterate through it), without that, jwk is just a good idea and not usable in real life
5. I did look at all the example codes in the example directory and run some of them with my own setup, I'm not sure I understand all of them, they mostly focus on creation and verification and not consuming. finally, not sure I agree with the oidc example, I need to go back to the openid connect spec and see where are the gaps.

[lestrrat]

Apologies if I sounded like I was shunning posting simple questions. That's not my intention.

But I did think the way your questioning sounded like you needed to read more on either how this module works or how JW* works in order for you to form better questions. Now, I may have been mistaken, but that's just what I thought back then. I'm sorry if that's not the case. I just wanted to reiterate here that "naive" questions are fine.

[aphuang2013]

thx for all the pointers and help. I was able to do the JWKS URL verification + a local jwk file (x509 pem) verification of my jwt token. the reason I need to do that is due to 1) my jwks provider only publish two signing keys and it chooses different kid name than my JWT issuer (even they are the same vendor software), Using a local jwk file with x509 is important since that allow jwt verification when not able to connect to JWKS publisher; BTW, I only deal with RSA keys since I have more experience with PKI stuff.

…

On Thu, Jan 27, 2022 at 10:31 PM lestrrat ***@***.***> wrote: Apologies if I sounded like I was shunning posting simple questions. That's not my intention. But I did think the way your questioning sounded like you needed to read more on either how this module works or how JW* works in order for you to form better questions. Now, I may have been mistaken, but that's just what I thought back then. I'm sorry if that's not the case. I just wanted to reiterate here that "naive" questions are fine. — Reply to this email directly, view it on GitHub <#561 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIH4WHUW5OJ7YHSAVARS4TUYHBS7ANCNFSM5MZWTGNQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

-- peter huang