-
Notifications
You must be signed in to change notification settings - Fork 420
-
the documentation only has parsing and validate with Hmac
https://pkg.go.dev/github.com/golang-jwt/jwt/v5#example-Parse-Hmac
is there any way to decode in rs256 ?
Beta Was this translation helpful? Give feedback.
All reactions
Please do NOT use ParseUnverified unless you REALLY know what you are doing.
We really need to supply an appropriate example using asymmetric keys. Basically it works the same way as for HMAC, but instead of supplying a []byte key, you need to supply a *rsa.PublicKey in the keyfunc. Something like
var myPublicKey *rsa.PublicKey // Load key from file myPublicKey = /*...*/ token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { // Don't forget to validate the alg is what you expect: if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } return myPublicKey, nil })
Replies: 2 comments
-
Try using ParseUnverified, it useful if you want to extract values without validate.
Line 430 in 148d710
Beta Was this translation helpful? Give feedback.
All reactions
-
👎 1
-
Please do NOT use ParseUnverified unless you REALLY know what you are doing.
We really need to supply an appropriate example using asymmetric keys. Basically it works the same way as for HMAC, but instead of supplying a []byte key, you need to supply a *rsa.PublicKey in the keyfunc. Something like
var myPublicKey *rsa.PublicKey // Load key from file myPublicKey = /*...*/ token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { // Don't forget to validate the alg is what you expect: if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } return myPublicKey, nil })
Beta Was this translation helpful? Give feedback.