The out of the obx
go-jwt normally expects you to directly provide an rsa.PrivateKey object. That is normally just fine if you have a key bytes handy in some sort of local storage.
go-jwt can be extended to support arbitrary providers holding the key. In this case, you can have the private key saved into KMS, Yubikeys, Hashicorp Vault or even a Trusted Platform Module.
Each ‘backend’ you choose to save the keys to requires you to import that package and use that directly.
In contrast, the implementation describes here takes it a step back where you define any key backend that would implement the
crypto.Signer interface and then provide that directly into a library.
Instead of importing a use-specific golang-jwt implementation and using that, what we’ll do here is just provide a generic
You can find the source here
this repo is not supported by google
This code is NOT supported by google
For other references, see:
Using this is really easy…you just need something that surfaces that interface.
I’ve written some simple ones here…the
examples/ folder uses a PEM Signer (yes i’m well aware go-jwt already supports PEM format keys…i just happened to make a Signer so i could test the other ones)
The following shows the PEM signer and Google Cloud KMS based signers:
The output is a signed JWT
# cd examples/
$ go run main.go
2022/08/12 14:40:37 verified with Signer PublicKey
2022/08/12 14:40:37 verified with exported PubicKey
The JWT is formatted as: