paint-brush
How To Build JWT's in Goby@wagslane
1,026 reads
1,026 reads

How To Build JWT's in Go

by Lane WagnerFebruary 24th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

JWT's are encoded JSON objects that have been signed by the server, verifying authenticity. JWTs are one of the most popular ways to handle authentication on API requests. In this article, we go over the basics of JWT and how to implement a secure authentication strategy in Go. We are going to use a popular library for dealing with JWT's in Go, jwt-go, jWT-go. We will use a symmetric encryption scheme and use a private key to verify the JWT.

People Mentioned

Mention Thumbnail

Company Mentioned

Mention Thumbnail

Coin Mentioned

Mention Thumbnail
featured image - How To Build JWT's in Go
Lane Wagner HackerNoon profile picture

Go is becoming very popular for backend web development, and JWT's are one of the most popular ways to handle authentication on API requests. In this article, we are going to go over the basics of JWT's and how to implement a secure authentication strategy in Go!


What is a JWT?

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.


More simply put, JWT's are encoded JSON objects that have been signed by the server, verifying authenticity.

For example, when a user logs in to a website secured via JWTs, the flow should look something like this:

  1. The user sends a username and password to the server
  2. The server verifies username and password are correct
  3. The server creates a JSON object (aka claims) that looks like this:
    {"username":"wagslane"}
    
  4. The server encodes and signs the JSON object, creating a JWT:
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndhZ3NsYW5lIn0.ov6d8XtwQoKUwsYahk9UwH333NICElFSs6ag6pINyPQ
  5. The user's web client saves the JWT for later use
  6. When the user makes a request to a protected endpoint, it passes the JWT is along in an HTTP header
  7. The server checks the signature on the JWT to make sure the JWT was originally created by the same server
  8. The server reads the claims and gives permission to the request to operate as "
    wagslane
    "

Create a JWT

We are going to use a popular library for dealing with JSON Web Tokens's in Go, jwt-go. Make sure you have the code cloned locally:

go get github.com/dgrijalva/jwt-go

For simplicity, we are building a symmetric encryption scheme. This means we assume that the server that creates the JWTs will also be the only server that will be verifying them.

First, define a struct that will be used to represent claims to identify our users:

type customClaims struct {
	Username string `json:"username"`
	jwt.StandardClaims
}

The jwt.StandardClaims struct contains useful fields like expiry and issuer name. Now we will create some actual claims for the user that just logged in:

claims := customClaims{
	Username: username,
	StandardClaims: jwt.StandardClaims{
		ExpiresAt: 15000,
		Issuer:    "nameOfWebsiteHere",
	},
}

Create an unsigned token from the claims:

token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)

Sign the token using a secure private key. In production make sure you use a real private key, preferably at least 256 bits in length:

signedToken, err := token.SignedString([]byte("secureSecretText"))

Now the signed token can be sent back to the client.


Validating a JWT

When the client makes a request to a protected endpoint we can verify the JWT is authentic using the following steps.

*Note: It is idiomatic to use the Authorization HTTP header:

Authorization: Bearer {jwt}

After receiving the JWT, validate the claims and verify the signature using the same private key:

token, err := jwt.ParseWithClaims(
	jwtFromHeader,
	&customClaims{},
	func(token *jwt.Token) (interface{}, error) {
		return []byte("secureSecretText"), nil 
	},
)

If the claims have been tampered with then the err variable will not be nil.


Parse the claims from the token:

claims, ok := token.Claims.(*customClaims)
if !ok {
	return errors.New("Couldn't parse claims")
}

Check if the token is expired:

if claims.ExpiresAt < time.Now().UTC().Unix() {
	return errors.New("JWT is expired")
}

You now know the username of the authenticated user!

username := claims.Username

For full examples take a look at the package's tests.


Thanks For Reading!

By Lane Wagner

Previously published at https://qvault.io/2020/02/20/how-to-build-jwts-in-go-golang/