gcp

golang-jwt using arbitrary crypto.Signer

2022-08-11

Another extension for go-jwt that allows creating and verifying JWT tokens where the private key is abstracted as something that is accessible through the crypto.Signer interface.

The out of the obx go-jwt normally expects you to directly provide an rsa.PrivateKey object. That is normally just fine if you have a key bytes handy in some sort of local storage.

go-jwt can be extended to support arbitrary providers holding the key. In this case, you can have the private key saved into KMS, Yubikeys, Hashicorp Vault or even a Trusted Platform Module.

Each ‘backend’ you choose to save the keys to requires you to import that package and use that directly.

In contrast, the implementation describes here takes it a step back where you define any key backend that would implement the crypto.Signer interface and then provide that directly into a library.

Instead of importing a use-specific golang-jwt implementation and using that, what we’ll do here is just provide a generic Signer.


You can find the source here

this repo is not supported by google

just a bill


This code is NOT supported by google

For other references, see:

Using this is really easy…you just need something that surfaces that interface.

I’ve written some simple ones here…the examples/ folder uses a PEM Signer (yes i’m well aware go-jwt already supports PEM format keys…i just happened to make a Signer so i could test the other ones)

The following shows the PEM signer and Google Cloud KMS based signers:

The output is a signed JWT

# cd examples/

$ go run main.go 
TOKEN: eyJhbGciOiJSUzI1NiIsImtpZCI6IjEyMTIiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjE2NjAzMjk2OTcsImlzcyI6InRlc3QifQ.jcvMEHXKVAdjgGQM6n7U9y0wkJKIdwCmQu2SNrz67L6G5gN0aGBGVaANcQ4iCJ3BM-r92GCdzIr3SlDtBs9C-9EDXzIygp41Xct66jbeqcJ4Udkf_5nHDgKyyMuxLnlkQO5SD9aZYHacJtv34P7THeAA6WUoVhsTYg5QvE0pDDkWf4PYeADh_gP7wnFha1jjjwMDPWhNyJhxSICBQ4I8s_s8FhWNr_shXqMwYPZj3fEabHbsRAZIEr8Y2nQAsQHAE97rU8CutShsQeY59WkHy04zx2HHbBepM6nnSHqtWFkh12eT4-8TvaMBNX9yv20ln6OHaKaIf3RpsreAFPf_TQ
2022/08/12 14:40:37      verified with Signer PublicKey
2022/08/12 14:40:37      verified with exported PubicKey

The JWT is formatted as:

{
  "alg": "RS256",
  "kid": "1212",
  "typ": "JWT"
}
{
  "exp": 1660329697,
  "iss": "test"
}

This site supports webmentions. Send me a mention via this form.