I have this function:
func GetSigningKey() *rsa.PublicKey {
set, _ := jwk.ParseString(GetWellKnown())
publicKey, _ := set.Keys[0].Materialize()
return publicKey.(*rsa.PublicKey)
}
.Materialize() returns interface{}, so I use this function to cast it to (what I think is) the expected type.
I can then use that token with:
publicKey := GetSigningKey()
token, _ := jwt.Parse(tokenString, func(*jwt.Token) (interface{}, error) {
return publicKey, nil
})
fmt.Println(token.Valid)
A few questions:
The purpose of the GetSigningKey function is to obtain the signing key from a well known file and cast the resulting key to the correct type.
1) This requires an http request which lives within GetWellKnown(). In that function, I do the http request and cache the response in a variable so following requests will pull from that variable. Is this a good practice? (follow up, should I do the same thing to the parsed public key in GetSigningKey())
2) Am I right in assuming that this is the best way to cast the interface{} to the correct type?
3) if I try fmt.Println(GetSigningKey()) I get a long, unrecognisable sequence of numbers
&{2568409364095596940117712027335... %!s(int=65537)}635 <nil>
What exactly am I seeing here?
There's no error checking in your code. Especially if the JWKS is empty or contains something that's not an RSA key, your program will just crash, and that tends to not be the behavior encouraged in Go. I'd add some checking around the whole thing; for instance,
func GetSigningKey() *rsa.PublicKey, error {
...
if rsaKey, ok := publicKey.(*rsa.PublicKey); ok {
return rsaKey, nil
}
return nil, errors.New("not an RSA key")
}
Remember that other signing methods exist and in principle you can get back an ECDSA key or (in theory) a raw key for symmetric signing, so checking here is valuable.
The other high-level thing you should try is to take the raw JSON Web token and decode it; https://jwt.io/ has a debugger I use. If the header contains a claim named "kid", that is a key ID, and you should be able to pass that key ID as an input to the JWKS library. That should be more robust than blindly using the first key in the JWKS.
Online JWKS documents can change, but seem to generally do so infrequently (on a scale of months). (If they do change, it's likely that a JWKS will include both old and new keys.) Caching them in-process is extremely reasonable. If you see a "kid" you don't recognize that can be a signal to try refetching the document.
Your fmt.Printf output looks like it's probably the raw RSA public key. The public key itself consists of two numbers, one being the product of two large prime numbers and the second frequently being exactly 65537. There is some more discussion of this in the Wikipedia description of RSA.