Comments (4)
ewanharris
commented on August 11, 2024
Hey @Devkahar,
As this library is focused on protecting APIs using access tokens, and not strictly validation of JWTs, we feel that the requirement for an audience is fair as without this it would allow any access token associated with the issuer to be used rather than those specifically authorized for the resource.
At the time of creation there was no standard definition for this process (although there is now RFC 9068 that the validation in this library is close to) so this library followed the documented Auth0 recommendation.
Do you have a specific use case where an IdP issues a valid access token for accessing a resource with no audience set?
from go-jwt-middleware.
nkhalasi
commented on August 11, 2024
Hi...this is Naresh from Dev's team.
We understand the RFC you are referring as the specs for this middleware implementation.
We do not use any IdP yet and have a home grown SSO implementation based on JWT.
So far we have built microservices using Kotlin (KTOR web framework) where we use the middleware/intercepter from auth0 and that middleware is aligning with the expectations laid down in RFC 7519.
We are now starting to write a few microservices using GOLANG and use GIN framework.
We wanted to introduce a middleware with the same expectations and hence attempted to integrate this library.
At this point we are not sure what is the right approach. The middleware that we are using in the kotlin world relies on java-jwt - https://github.com/auth0/java-jwt/blob/master/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
from go-jwt-middleware.
ewanharris
commented on August 11, 2024
Hey @nkhalasi,
Given that java-jwt is a JWT parsing library it doesn't have the same requirements as this library and isn't necessarily a middleware library, for example in Java we provide a auth0-spring-security-api that uses java-jwt and is focused on securing APIs with JWTs and matches the same audience requirement as this library.
If possible I would recommending introducing an aud claim into your JWTs which would allow using this library, or if that isn't possible you could either fork this library and remove the check or build some middleware around a JWT parsing library such as https://github.com/go-jose/go-jose (what this library uses).
from go-jwt-middleware.
ewanharris
commented on August 11, 2024
I'm going to close this issue as I believe it should be answered with my previous comment.
from go-jwt-middleware.
Related Issues (20)
- provide a gin gonic example HOT 2
- Missing cookie causes CookieTokenExtractor to return error HOT 7
- Custom `ValidateWithLeeway` in #176 Introduced Breaking Changes to Token Validation HOT 3
- Allow middleware to be used in a gRPC environment HOT 7
- Cannot import internal oidc package HOT 1
- An error occured while validating JWT: jwt invalid: error getting the keys from the key func: could not get well known endpoints from url https:///.well-known/openid-configuration: Get "https:///.well-known/openid-configuration": http: no Host in request URL HOT 3
- Improve performance of JWKS Caching Provider HOT 4
- Support validate multiple issuers HOT 1
- Example for IRIS Framework
- Allow custom http Client to be used by the JWKS Provider HOT 2
- issue with token validator HOT 4
- v2.1.0 Diversions from JOSE By validating audiences when none expected HOT 4
- validationKeyGetter - can not use dgrijalva as form3tech-oss Keyfunc value in struct literal HOT 1
- issue with token validator
- go-jose v2 is deprecated, should be upgraded to v3 HOT 2
- Examples do not work. jwtmiddleware missing in v2.2.0 HOT 2
- Support for Gin HOT 2
- newVerifier() function - verificationKey type
- Upgrade `go-jose` from v2 to v4 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jwt-middleware.