如何验证 Go 中的 JWT 令牌并将其加载到结构中?

[英]How to verify a JWT token in Go and load it into a struct?

This should be a simple question but I've been frustrated trying to figure it out.这应该是一个简单的问题,但我一直很沮丧试图弄清楚。

Given a JWT token and a RSA public/private key pair, how do I convert the token to a struct and verify it?给定 JWT 令牌和 RSA 公钥/私钥对,如何将令牌转换为结构并验证它?

type JwtData struct {
    AccessToken string `json:"access_token"`
    Iat         int    `json:"iat"`
    Exp         int    `json:"exp"`
    Sub         string `json:"sub"`
    Iss         string `json:"iss"`

privateKeyString := "my_private_key"

publicKeyString := "my_public_key"

tokenString := "my_token_data"

decryptedData, error := whatDoIDoHere(publicKeyString, tokenString)

It seems like this is the "standard" Go library for JWTs (is there even a standard one? I find Go's package ecosystem confusing) https://github.com/lestrrat-go/jwx/tree/main/jwt这似乎是 JWT 的“标准”Go 库(甚至有标准库吗?我发现 Go 的 package 生态系统令人困惑) Z5E056C500A1C4B6A7110B50D807BADELE5

The demo covers this fairly well but here is a more complete example showing how to go from an encoded token/certificate (note that the demo generates the cert/jwt first; you can ignore that bit if you are not interested in it).演示很好地涵盖了这一点,但这里有一个更完整的示例,展示了如何从编码的令牌/证书中生成 go(请注意,演示首先生成 cert/jwt;如果您对它不感兴趣,可以忽略该位)。

It seems like this is the "standard" Go library for JWTs (is there even a standard one?)这似乎是 JWT 的“标准”Go 库(甚至有标准库吗?)

Go has a Standard Library which covers a lot of basic functionality. Go 有一个标准库,涵盖了许多基本功能。 I don't think that anything else can be considered 'standard' (this is as per other languages; the Go standard library is pretty comprehensive compared to most).我不认为其他任何东西都可以被视为“标准”(这与其他语言一样;与大多数语言相比,Go 标准库非常全面)。 There are a few JWT packages but lestrrat-go/jwx is fairly comprehensive and, importantly, actively developed.有一些 JWT 包,但lestrrat-go/jwx相当全面,重要的是,它正在积极开发。

package main

import (


func main() {
    token, pubKey, err := generateJWT()
    if err != nil {
    // JWT has been generated - lets output it (and the certificate)
    fmt.Printf("JWT: %s\nPublic Key: %s", token, pubKey)

    parsedToken, err := parseJWT(token, pubKey)
    if err != nil {
    // Standard claims can be accessed as follows:
    fmt.Printf("Iss: %v\n", parsedToken.IssuedAt())
    fmt.Printf("Exp: %v\n", parsedToken.Expiration())
    fmt.Printf("Aud: %v\n", parsedToken.Audience())

    // Private Claims
    fmt.Printf("Private Claims: %#v\n", parsedToken.PrivateClaims())

// generateJWT - Generates a JWT (and signs it with a generated certificate)
func generateJWT() ([]byte, []byte, error) {
    // We will start by generating a test token for which a key will be needed
    privKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        return nil, nil, fmt.Errorf("failed to generate private key: %s\n", err)

    // Preparation:
    // For demonstration purposes, we need to do some preparation
    // Create a JWK key to sign the token (and also give a KeyID)
    realKey, err := jwk.New(privKey)
    if err != nil {
        return nil, nil, fmt.Errorf("failed to create JWK: %s\n", err)
    realKey.Set(jwk.KeyIDKey, `mykey`)

    // Create the token
    token := jwt.New()
    token.Set(`foo`, `bar`)

    // Set a few standard keys
    token.Set(jwt.IssuedAtKey, time.Now())
    token.Set(jwt.ExpirationKey,  time.Now().Add(time.Hour)) // lets make it expire in an hour
    token.Set(jwt.AudienceKey, "lotsOfUsers")

    // Sign the token and generate a payload
    signed, err := jwt.Sign(token, jwa.RS256, realKey)
    if err != nil {
        return nil, nil, fmt.Errorf("failed to generate signed payload: %s\n", err)

    // For completeness lets encode the public key (so the decoding matches what someone just performing the decode would need to do)
    publickey := &privKey.PublicKey
    publicKeyBytes, err := x509.MarshalPKIXPublicKey(publickey)
    if err != nil {
        return nil, nil, fmt.Errorf("error when dumping publickey: %s \n", err)
    publicKeyBlock := &pem.Block{
        Type:  "PUBLIC KEY",
        Bytes: publicKeyBytes,
    publicKeyBuff := new(bytes.Buffer)
    err = pem.Encode(publicKeyBuff, publicKeyBlock)
    if err != nil {
        return nil, nil, fmt.Errorf("error when encode public pem: %s \n", err)
    encodedPubKey := publicKeyBuff.Bytes()

    return signed, encodedPubKey, nil

// parse the passed in JWT with the passed in certificate and return a map of claims
func parseJWT(signedJWT []byte, encodedPubKey []byte) (jwt.Token, error){
    var keyset jwk.Set
    privPem, _ := pem.Decode(encodedPubKey)
    if privPem == nil {
        return nil, fmt.Errorf("Failed to decode PEM block")
    privPemBytes := privPem.Bytes
    var parsedKeyInt interface{}
    var err error
    if parsedKeyInt, err = x509.ParsePKIXPublicKey(privPemBytes); err != nil {
        return nil, fmt.Errorf("Failed to decode cert: %s", err)
    parsedKey, ok := parsedKeyInt.(*rsa.PublicKey)
    if !ok {
        return nil, fmt.Errorf("public key not expected type")

    // Now create a key set that users will use to verity the signed payload against
    pubKey, err := jwk.New(parsedKey)
    if err != nil {
        return nil, fmt.Errorf("failed to create JWK: %s", err)

    // Remember, the key must have the proper "kid"
    pubKey.Set(jwk.KeyIDKey, "mykey")

    // This key set contains only one key (the correct one)
    keyset = jwk.NewSet()

    parsedToken, err := jwt.Parse(
        // Tell the parser that you want to use this keyset
        // Tell the parser that you can trust this KeySet, and that
        // yo want to use the sole key in it
        // We want to validate the token; e.g. it should not have expired
    if err != nil {
        return nil, fmt.Errorf("failed to parse payload: %s", err)

    return parsedToken, nil

