1

I have Azure AD setup with OAuth2 and have it issuing a JWT for my web app. On subsequent requests, I want to validate the JWT that was issued. I'm using github.com/dgrijalva/jwt-go to do so however it always fails.

token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
        return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
    }
    return []byte("bW8ZcMjBCnJZS-ibX5UQDNStvx4"), nil
})
if err != nil {
    return nil, err
}

I'm picking at random the kid claim from the public keys listed by MS here https://login.microsoftonline.com/common/discovery/v2.0/keys so I'm lost as this isn't working.

Has anyone done this before or have any pointers?

Jon
  • 38,814
  • 81
  • 233
  • 382
  • Your [keyfunc](https://pkg.go.dev/github.com/golang-jwt/jwt#Keyfunc) is returning the `kid` (key ID) whereas you need to return the key (in the `x5c` node within the JWK file) as a `*rsa.PublicKey` . [This example](https://stackoverflow.com/a/56907478/11810946) might help. I'd suggest using the [new repo](https://github.com/golang-jwt/jwt) or [these libraries](https://github.com/lestrrat-go/jwx) (which include code to parse the [JWK](https://datatracker.ietf.org/doc/html/rfc7517) file you linked). – Brits Jan 29 '22 at 01:55
  • Thanks, I seem to be getting somewhere however whilst it creates the PublicKey the library now errors with "crypto/rsa: verification error" – Jon Jan 29 '22 at 10:37
  • The repository you are using is no longer maintained as pointed out by the README. I've been using it's official replacement, https://github.com/golang-jwt/jwt, and I have never experienced any problem. You should try it. – Benjamin Barrois Jan 28 '22 at 21:52

2 Answers2

1

The asset located at https://login.microsoftonline.com/common/discovery/v2.0/keys is what's known as a JWKS, JSON Web Key Set. If all you want to do is authenticate tokens signed by this service, you can use something similar to the below code snippet. I've authored a package just for this use case: github.com/MicahParks/keyfunc

Under the hood, this package will read and parse the cryptographic keys found in the JWKS, then associate JWTs with those keys based on their key ID, kid. It also has some logic around automatically refreshing a remote JWKS resource.

package main

import (
    "context"
    "log"
    "time"

    "github.com/golang-jwt/jwt/v4"

    "github.com/MicahParks/keyfunc"
)

func main() {

    // Get the JWKS URL.
    jwksURL := "https://login.microsoftonline.com/common/discovery/v2.0/keys"

    // Create a context that, when cancelled, ends the JWKS background refresh goroutine.
    ctx, cancel := context.WithCancel(context.Background())

    // Create the keyfunc options. Use an error handler that logs. Refresh the JWKS when a JWT signed by an unknown KID
    // is found or at the specified interval. Rate limit these refreshes. Timeout the initial JWKS refresh request after
    // 10 seconds. This timeout is also used to create the initial context.Context for keyfunc.Get.
    options := keyfunc.Options{
        Ctx: ctx,
        RefreshErrorHandler: func(err error) {
            log.Printf("There was an error with the jwt.Keyfunc\nError: %s", err.Error())
        },
        RefreshInterval:   time.Hour,
        RefreshRateLimit:  time.Minute * 5,
        RefreshTimeout:    time.Second * 10,
        RefreshUnknownKID: true,
    }

    // Create the JWKS from the resource at the given URL.
    jwks, err := keyfunc.Get(jwksURL, options)
    if err != nil {
        log.Fatalf("Failed to create JWKS from resource at the given URL.\nError: %s", err.Error())
    }

    // Get a JWT to parse.
    //
    // This wasn't signed by Azure AD.
    jwtB64 := "eyJraWQiOiJlZThkNjI2ZCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJXZWlkb25nIiwiYXVkIjoiVGFzaHVhbiIsImlzcyI6Imp3a3Mtc2VydmljZS5hcHBzcG90LmNvbSIsImlhdCI6MTYzMTM2OTk1NSwianRpIjoiNDY2M2E5MTAtZWU2MC00NzcwLTgxNjktY2I3NDdiMDljZjU0In0.LwD65d5h6U_2Xco81EClMa_1WIW4xXZl8o4b7WzY_7OgPD2tNlByxvGDzP7bKYA9Gj--1mi4Q4li4CAnKJkaHRYB17baC0H5P9lKMPuA6AnChTzLafY6yf-YadA7DmakCtIl7FNcFQQL2DXmh6gS9J6TluFoCIXj83MqETbDWpL28o3XAD_05UP8VLQzH2XzyqWKi97mOuvz-GsDp9mhBYQUgN3csNXt2v2l-bUPWe19SftNej0cxddyGu06tXUtaS6K0oe0TTbaqc3hmfEiu5G0J8U6ztTUMwXkBvaknE640NPgMQJqBaey0E4u0txYgyvMvvxfwtcOrDRYqYPBnA"

    // Parse the JWT.
    var token *jwt.Token
    if token, err = jwt.Parse(jwtB64, jwks.Keyfunc); err != nil {
        log.Fatalf("Failed to parse the JWT.\nError: %s", err.Error())
    }

    // Check if the token is valid.
    if !token.Valid {
        log.Fatalf("The token is not valid.")
    }
    log.Println("The token is valid.")

    // End the background refresh goroutine when it's no longer needed.
    cancel()

    // This will be ineffectual because the line above this canceled the parent context.Context.
    // This method call is idempotent similar to context.CancelFunc.
    jwks.EndBackground()
}
Micah Parks
  • 1,504
  • 1
  • 10
  • 22
0

Annoyingly it was a Azure AD config issue and out of the box it will generate a JWT token for MS Graph and the whole auth process succeeds but when you try to validate the token it fails for some reason. Once you have setup Azure AD correctly for your app with a correct scope it validates properly. I blogged about the specifics here - https://blog.jonathanchannon.com/2022-01-29-azuread-golang/

Jon
  • 38,814
  • 81
  • 233
  • 382