CODEWITHSUNDEEP
gojwtjwt-go
jor2
jor2

Reputation: 468

Decode JWT without validation and find scope

I need to decode my JWT token and check if the scope is a "Doctor".

I know very little about GO, but I just need to write a tiny snippet in my application to extend an existing application so it needs to be written in GO.

This was my attempt at decoding the token and checking if "Doctor" was in the decoded token as I wasn't able to access the scope exclusively.

for k, v := range props {
        token_value := fmt.Sprint(v)
        token_key := fmt.Sprint(cfg.AuthKey)
        if (k == "custom_token_header") && strings.Contains(token_value, token_key) {
            if token, _ := jwt.Parse(token_value, nil); token != nil {
                parsed_token := fmt.Sprint(token)
                log.Infof("Parsed token: " ,parsed_token)
                if strings.Contains(parsed_token, "Doctor")  {
                    log.Infof("user is a Doctor, perform checks...")
                    loc, _ := time.LoadLocation("GMT")
                    now := time.Now().In(loc)
                    hr, _, _ := now.Clock()
                    if hr >= 9 && hr < 5 {
                        log.Infof("success, inside of work hours!!")
                        return &v1beta1.CheckResult{
                            Status: status.OK,
                        }, nil
                    }
                    log.Infof("failure; outside of work hours!!")
                    return &v1beta1.CheckResult{
                        Status: status.WithPermissionDenied("Unauthorized..."),
                    }, nil
                }
            }
            log.Infof("success, as you're not a doctor!!")
            return &v1beta1.CheckResult{
                Status: status.OK,
            }, nil
        }
    }

It's working fine outside of my app, but when run inside my app it's being strange and giving back this <nil> map[] <nil> false for where the claims would be, but when run outside the app it gives me

map[alg:RS256 kid:NUVGODIxQThBQkY2NjExQjgzMEJEMjVBQTc3QThBNTY4QTY3MzhEMA typ:JWT] map[aud:https://rba.com/doctor azp:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh exp:1.55546266e+09 gty:client-credentials iat:1.55537626e+09 iss:https://jor2.eu.auth0.com/ scope:Doctor sub:3XFBbjTL6tsL9wH6iZQtkz3rKgGeiLwh@clients]  false

Thanks to devdotlog I was able to get this working with this change:

for k, v := range props {
        tokenString := fmt.Sprint(v)
        tokenKey := fmt.Sprint(cfg.AuthKey)
        if (k == "custom_token_header") && strings.Contains(tokenString, tokenKey) {
            tokenString = strings.Replace(tokenString, "Bearer ", "", -1)
            token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
            if err != nil {
                fmt.Println(err)
                return nil, nil
            }
            if claims, ok := token.Claims.(jwt.MapClaims); ok {
                tokenScope := fmt.Sprint(claims["scope"])
                log.Infof("Scope: ", tokenScope)
                if tokenScope == "Doctor" {
                    log.Infof("user is a Doctor, perform checks...")
                    loc, _ := time.LoadLocation("GMT")
                    now := time.Now().In(loc)
                    hr, _, _ := now.Clock()
                    if hr >= 9 && hr < 5 {
                        log.Infof("success, inside of work hours!!")
                        return &v1beta1.CheckResult{
                            Status: status.OK,
                        }, nil
                    }
                    log.Infof("failure; outside of work hours!!")
                    return &v1beta1.CheckResult{
                        Status: status.WithPermissionDenied("Unauthorized..."),
                    }, nil
                }
                fmt.Println(claims["scope"])
            } else {
                fmt.Println(err)
            }
            log.Infof("success, as you're not a doctor!!")
            return &v1beta1.CheckResult{
                Status: status.OK,
            }, nil
        }
    }

Upvotes: 4

Views: 15746

Answers (1)

sh.seo
sh.seo

Reputation: 1610

You use github.com/dgrijalva/jwt-go. That's right?

You use ParseUnverified(https://godoc.org/github.com/dgrijalva/jwt-go#Parser.ParseUnverified) without validation.

Below code is ParseUnverified()' example.

package main

import (
    "fmt"

    "github.com/dgrijalva/jwt-go"
)

func main() {
    // This token is expired
    var tokenString = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJleHAiOjE1MDAwLCJpc3MiOiJ0ZXN0In0.HE7fK0xOQwFEr4WDgRWj4teRPZ6i3GLwD5YCm6Pwu_c"

    token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
    if err != nil {
        fmt.Println(err)
        return
    }

    if claims, ok := token.Claims.(jwt.MapClaims); ok {
        fmt.Println(claims["foo"], claims["exp"])
    } else {
        fmt.Println(err)
    }
}

ParseUnverified() only use for debug.

WARNING: Don't use this method unless you know what you're doing

This method parses the token but doesn't validate the signature. It's only ever useful in cases where you know the signature is valid (because it has been checked previously in the stack) and you want to extract values from it.

Upvotes: 20

Related Questions