The latest articles on Forem by C Turner (@catturner). https://forem.com/catturner https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F113014%2Fdad00ba3-8a27-47e0-a79c-96979b745bc3.jpeg https://forem.com/catturner en C Turner Thu, 20 May 2021 04:07:25 +0000 https://forem.com/catturner/verifying-cognito-jwt-tokens-in-go-17kk https://forem.com/catturner/verifying-cognito-jwt-tokens-in-go-17kk <p>You can use JSON Web Tokens (JWTs) as a part of OpenID Connect (OIDC) and OAuth 2.0 frameworks to limit client access to your APIs.</p> <h2> Background </h2> <p>Authorizing API requests should consist of a few <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html">steps</a>.</p> <h3> Validate claims </h3> <ul> <li>kid - The token must have a header claim that matches the key in the jwks_uri that signed the token.</li> <li>iss – Must match the issuer that is configured for the authorizer.</li> <li>exp – Must be before the current time in UTC.</li> <li>nbf – Must be before the current time in UTC.</li> <li>eat – Must be before the current time in UTC.</li> <li>aud or client_id</li> </ul> <p>The audience ("client_id") in the payload matches the app client ID created in the Cognito user pool.</p> <h3> Verify the signature </h3> <p>The Signature is created using the Header and Payload segments, a signing algorithm, and a secret or public key (depending on the chosen signing algorithm). You do this to verify that the token was signed by the sender and not altered in any way.</p> <p>You can get the information you need from your public keys, which are available at address:<br> <a href="https://cognito-idp.%7Bregion%7D.amazonaws.com/%7BuserPoolId%7D/.well-known/jwks.json">https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json</a></p> <p>I used <a href="https://github.com/auth0/go-jwt-middleware">Auth0's jwt middleware library</a> because it has the ability to check the authorization header for a JWT and it decodes the JWT and sets the content to the request context.</p> <p>You will also need the library <code>"github.com/form3tech-oss/jwt-go"</code>.</p> <p>I used <code>jwtmiddleware</code> so that all my requests check the JWT token. Following along <a href="https://github.com/auth0/go-jwt-middleware/blob/master/examples/http-example/main.go#L21">this example</a>, I made two functions that </p> <ol> <li>validate the claims and </li> <li>create the RSA public key, which will be used by <a href="https://github.com/auth0/go-jwt-middleware/blob/master/jwtmiddleware.go#L99"><code>jwt-go</code> CheckJWT()</a> function to check the token's signature.</li> </ol> <h2> Validate claims with a function </h2> <p>Use this function as an argument to <a href="https://github.com/auth0/go-jwt-middleware/blob/master/examples/http-example/main.go">ValidationKeyGetter</a> argument.</p> <p>Mine looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">type</span> <span class="n">Jwks</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Keys</span> <span class="p">[]</span><span class="n">JSONWebKeys</span> <span class="s">`json:"keys"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">JSONWebKeys</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Kty</span> <span class="kt">string</span> <span class="s">`json:"kty"`</span> <span class="n">Kid</span> <span class="kt">string</span> <span class="s">`json:"kid"`</span> <span class="n">Use</span> <span class="kt">string</span> <span class="s">`json:"use"`</span> <span class="n">N</span> <span class="kt">string</span> <span class="s">`json:"n"`</span> <span class="n">E</span> <span class="kt">string</span> <span class="s">`json:"e"`</span> <span class="p">}</span> <span class="k">func</span> <span class="n">validationGetter</span><span class="p">(</span><span class="n">token</span> <span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">clientId</span> <span class="o">:=</span> <span class="s">"your client id"</span> <span class="c">// AWS Cognito public keys are available at address:</span> <span class="c">//https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json</span> <span class="n">publicKeysURL</span> <span class="o">:=</span> <span class="s">"url to your public key"</span> <span class="n">iss</span> <span class="o">:=</span> <span class="s">"your iss"</span> <span class="n">resp</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">publicKeysURL</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="k">var</span> <span class="n">jwks</span> <span class="o">=</span> <span class="n">Jwks</span><span class="p">{}</span> <span class="n">err</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">resp</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">jwks</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// Verify 'iss' claim</span> <span class="n">checkIss</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)</span><span class="o">.</span><span class="n">VerifyIssuer</span><span class="p">(</span><span class="n">iss</span><span class="p">,</span> <span class="no">false</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">checkIss</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">gqlerror</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid iss"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Verify audience and make sure it matches client id</span> <span class="n">aud</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">token</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)[</span><span class="s">"client_id"</span><span class="p">]</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">if</span> <span class="n">aud</span> <span class="o">!=</span> <span class="n">clientId</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">gqlerror</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid audience"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Validates time based claims "exp, iat, nbf"</span> <span class="n">err</span> <span class="o">=</span> <span class="n">token</span><span class="o">.</span><span class="n">Claims</span><span class="o">.</span><span class="p">(</span><span class="n">jwt</span><span class="o">.</span><span class="n">MapClaims</span><span class="p">)</span><span class="o">.</span><span class="n">Valid</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"token expired"</span><span class="p">)</span> <span class="p">}</span> <span class="n">checkKid</span> <span class="o">:=</span> <span class="no">false</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span> <span class="p">{</span> <span class="k">if</span> <span class="n">token</span><span class="o">.</span><span class="n">Header</span><span class="p">[</span><span class="s">"kid"</span><span class="p">]</span> <span class="o">==</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">Kid</span> <span class="p">{</span> <span class="n">checkKid</span> <span class="o">=</span> <span class="no">true</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="o">!</span><span class="n">checkKid</span> <span class="p">{</span> <span class="k">return</span> <span class="n">token</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"Invalid kid"</span><span class="p">)</span> <span class="p">}</span> <span class="n">pk</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">getPublicKey</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">jwks</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"Something went wrong."</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">pk</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Be sure to make your error messages less helpful so that you can not drop hints for devs who are trying to forge tokens. The constants <code>clientId</code>, <code>iss</code>, and <code>publicKeysURL</code> should be fetched from your configuration file.</p> <h2> Create a public key that can be used to verify the signature </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// getPublicKey ... function to return the public key</span> <span class="k">func</span> <span class="n">getPublicKey</span><span class="p">(</span><span class="n">token</span> <span class="o">*</span><span class="n">jwt</span><span class="o">.</span><span class="n">Token</span><span class="p">,</span> <span class="n">jwks</span> <span class="n">Jwks</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">rsa</span><span class="o">.</span><span class="n">PublicKey</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">pk</span> <span class="o">*</span><span class="n">rsa</span><span class="o">.</span><span class="n">PublicKey</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span> <span class="p">{</span> <span class="k">if</span> <span class="n">token</span><span class="o">.</span><span class="n">Header</span><span class="p">[</span><span class="s">"kid"</span><span class="p">]</span> <span class="o">==</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">Kid</span> <span class="p">{</span> <span class="c">// decode the base64 bytes for n</span> <span class="n">nb</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">base64</span><span class="o">.</span><span class="n">RawURLEncoding</span><span class="o">.</span><span class="n">DecodeString</span><span class="p">(</span><span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">N</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">e</span> <span class="o">:=</span> <span class="m">0</span> <span class="c">// The default exponent is usually 65537, so just compare the</span> <span class="c">// base64 for [1,0,1] or [0,1,0,1]</span> <span class="k">if</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">E</span> <span class="o">==</span> <span class="s">"AQAB"</span> <span class="o">||</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">E</span> <span class="o">==</span> <span class="s">"AAEAAQ"</span> <span class="p">{</span> <span class="n">e</span> <span class="o">=</span> <span class="m">65537</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c">// need to decode "e" as a big-endian int</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="s">"need to deocde e:"</span><span class="p">,</span> <span class="n">jwks</span><span class="o">.</span><span class="n">Keys</span><span class="p">[</span><span class="n">k</span><span class="p">]</span><span class="o">.</span><span class="n">E</span><span class="p">)</span> <span class="p">}</span> <span class="n">pk</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">rsa</span><span class="o">.</span><span class="n">PublicKey</span><span class="p">{</span> <span class="n">N</span><span class="o">:</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">SetBytes</span><span class="p">(</span><span class="n">nb</span><span class="p">),</span> <span class="n">E</span><span class="o">:</span> <span class="n">e</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">pk</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">pk</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"Could not find match"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Note that at the end of the function <code>validationGetter</code> we actually return the public key (pk) after we have completed our checks. The public key will then be used by <code>jwtmiddleware</code> to verify the signature of the token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">jwtMiddleware</span> <span class="o">:=</span> <span class="n">jwtmiddleware</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">jwtmiddleware</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">ValidationKeyGetter</span><span class="o">:</span> <span class="n">validationGetter</span><span class="p">,</span> <span class="n">SigningMethod</span><span class="o">:</span> <span class="n">jwt</span><span class="o">.</span><span class="n">SigningMethodRS256</span><span class="p">,</span> <span class="n">Debug</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>And that's it! What do you think? Can it be simplified? Drop a comment below.</p> go jwt cognito C Turner Sun, 14 Jun 2020 01:26:37 +0000 https://forem.com/catturner/how-to-rename-your-git-branch-12do https://forem.com/catturner/how-to-rename-your-git-branch-12do <p>Thinking about renaming your default branch for your repo? You can do it 3 easy steps.<br> git branch -m stem<br> git push origin :master<br> git push --set-upstream origin stem</p> <p>You might encounter an error that looks like this! Not to worry, this means that your default branch is set to master, and you need to change your repo settings.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--b6pwccPY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cx3n44cgdeigrt1lmak9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--b6pwccPY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/cx3n44cgdeigrt1lmak9.png" alt="Alt Text"></a></p> <p>Go to your repo, and switch to another branch as your default. Do your thang. Then update your default branch settings to the new branch you have made!<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--lH369GQS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/u4bgv43vlexvy2ja96g9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--lH369GQS--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/u4bgv43vlexvy2ja96g9.png" alt="Alt Text"></a></p> <p>That's it! What did you rename your branch to? Drop a comment below. Like a comment if you renamed your branch to the same thing!</p> github C Turner Sat, 03 Aug 2019 16:55:37 +0000 https://forem.com/catturner/where-are-you-from-1ngg https://forem.com/catturner/where-are-you-from-1ngg <p>‪Stop power washing your life story. If you've been healing, say it. If you've build some amazing memories, share it. Show who you are, and what you will become.‬</p> motivation codenewbie powerwash