如何使用 jwt-go 库验证 JSON Web 令牌？

Question

I am using the jwt-go library in golang, and using the HS512 algorithm for signing the token. I want to make sure the token is valid and the example in the docs is like this:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    return myLookupKey(token.Header["kid"])
})

if err == nil && token.Valid {
    fmt.Println("Your token is valid.  I like your style.")
} else {
    fmt.Println("This token is terrible!  I cannot accept this.")
}

I understand that myToken is the string token and the keyFunc gets passed the parsed token, but I don't understand what myLookupKey function is supposed to do?, and token.Header doesn't have a kid value when i print it to console and even thought the token has all the data I put in it, token.Valid is always false. Is this a bug? How do I verify the token is valid?

Answer 1

The keyFunc is supposed to return the private key that the library should use to verify the token's signature. How you obtain this key is entirely up to you.

The example from the documentation shows a non-standard (not defined in RFC 7519 ) additional feature that is offered by the jwt-go library. Using a kid field in the header (short for key ID ), clients can specify with which key the token was signed. On verification, you can then use the key ID to look up one of (possible several) known keys (how and if you implement this key lookup is up to you).

If you do not want to use this feature, just don't. Simply return a static byte stream from the keyFunc without inspecting the token headers:

token, err := jwt.Parse(myToken, func(token *jwt.Token) (interface{}, error) {
    key, err := ioutil.ReadFile("your-private-key.pem")
    if err != nil {
        return nil, errors.New("private key could not be loaded")
    }
    return key, nil
})